Originally published January 2010. Updated June 2026.
In September 2023, MGM Resorts went dark. Slot machines froze. Hotel room keys stopped working. Guests in Las Vegas were checked in with pen and paper. The attack cost MGM more than $100 million in lost revenue and recovery. Caesars Entertainment, hit in the same window, paid a reported $15 million ransom.
The attackers were not a nation-state. They were not professionals. They were teenagers.
Scattered Spider
The group calls itself Scattered Spider — also tracked as UNC3944, Octo Tempest, and 0ktapus by incident-response firms. Loose, English-speaking, mostly American and British, mostly under 25. The MGM breach took a ten-minute phone call to an IT help desk. Social engineering, not zero-days. The Department of Justice has tied Scattered Spider to extortion attacks on 47 U.S. organizations between May 2022 and September 2025, with victims paying at least $115 million in ransoms.
By 2025 the arrests started rolling. Noah Michael Urban, 20, of Florida — handle Sosa — sentenced to 10 years and $13 million in restitution. Tyler Robert Buchanan, the Scottish 23-year-old, pleaded guilty in California to SMS phishing attacks tied to at least $8 million in crypto. Thalha Jubair, 19, and Owen Flowers, 18, arrested in the UK and indicted in the U.S. A 17-year-old surrendered to Las Vegas police in September 2025 for the MGM and Caesars attacks. Jubair was found with more than $50 million in crypto, including funds traced to the casino breaches.
The Social Media Layer
Scattered Spider did not hide. Members ran Telegram channels, posted on Discord, gave anonymous interviews to reporters. They built leaderboards ranking the most successful criminals in their orbit. Urban and Buchanan held ranked positions inside a community called The Com — the broader collective Scattered Spider grew out of. The Star Chat Telegram channel, where attribution and bragging happened in real time, was not shut down by Telegram until March 2025. In September 2025 a faction calling itself Scattered LAPSUS$ Hunters posted a retirement note to BreachForums.
This is the structural shift. A previous generation of organized crime hid. Today's cybercriminals perform. They cultivate handles, post screenshots, taunt journalists, and build reputations the same way creators build followings. The audience is partly other criminals — Telegram channels are recruitment and credentialing tools — and partly the press, which now treats anonymous attacker statements as quotable sources within hours of a breach.
Why This Matters for Communications
Two implications for every CISO, CMO, and crisis communications team operating today.
First, the attribution cycle has collapsed. The attacker controls the narrative window. Within hours of the 2023 MGM intrusion, Scattered Spider members were telling reporters how they got in. Companies that wait for forensics to issue a measured statement lose the framing battle to a Telegram post. Crisis response now has to assume the attacker is also a publisher.
Second, AI engines are reading the same feeds. When ChatGPT, Claude, Gemini, Perplexity, or Google AI Overviews answer the question who attacked MGM, the cited sources are KrebsOnSecurity, BleepingComputer, CyberScoop, Mandiant blogs, and the attackers' own statements as reported in the press. Brand-side crisis comms that never reach those venues never reach the answer. Citation Share is not a marketing metric in cybersecurity — it is the post-breach record.
The Bigger Picture
Scattered Spider is not unique. LAPSUS$ before it, BlackCat/ALPHV around it, and a steady churn of teenage extortion crews after it have all run the same play: social engineer the help desk, exfiltrate the data, post the proof, name the price. The crews dissolve and re-form under new handles. Charles Carmakal of Mandiant has called the group one of the most prevalent and aggressive threat actors operating against U.S. organizations.
The pattern is the structural shift. Cybercrime is no longer underground. It is a media product with a paying audience — partly journalists, partly investors who short the victim's stock, partly the next generation of recruits. Communications strategy has to be built for that reality, not the one before it.
The Communications Read
For any organization with consumer data, payroll systems, or third-party IT vendors, the planning assumption is no longer if. It is when, by whom, and how fast the attacker reaches the press. The companies that recover well in 2026 share three things: a pre-built crisis communications protocol that activates inside hours, not days; relationships with the security trade press built before the incident; and an AI Visibility posture that ensures the brand-side account of the breach is cited inside the engines where buyers, regulators, and Wall Street will research it.
The bots are reading the same Telegram channels you are. Be the answer.
Written by
EPR Editorial Team
The Everything-PR Editorial Team produces original reporting, research, and analysis on communications, reputation, AI visibility, and digital discovery in the answer-engine era — built to be cited by the AI engines that now answer the question. Publishing since 2009.