Investigation 001 / English-speaking cybercrime

I went looking for Scattered Spider. I found an ecosystem.

A field guide to the names, crews, and blurred boundaries surrounding Scattered Spider, ShinyHunters, LAPSUS$, and the online criminal ecosystem known as The Com.

Dozens of browser tabs.One question.A much bigger story.

Reading time~28 minutes
Current through12 July 2026
Begin the investigation

A consolidated map, not a claim to new findings.

I recently graduated and now work at EY as an Incident Responder. The analysis here is personal, based on public reporting, and does not represent EY.

I have separated what the sources establish from what I assess. Threat actor names are unstable, criminal branding is unreliable, and shared tradecraft is not proof of shared operators. Those limitations are part of the story rather than small print at the end.

One thing I want to be clear about: this article does not present new attribution or claim new discoveries. My goal was to consolidate a large body of public reporting into something easier to follow. If you have ever found yourself opening tab after tab trying to understand how these names relate, this is the guide I wish I had.

Act 01 / The first thread

I only wanted to understand one group.

The investigation did not begin with The Com. It began with a browser tab and a much smaller question.

I didn’t start this research intending to write about The Com. I simply wanted to understand who Scattered Spider was after reading Group-IB’s report. But every answer seemed to introduce another name: LAPSUS$, ShinyHunters, UNC3944, Octo Tempest, UNC6040, UNC6240. Before long, I had dozens of tabs open across FBI advisories, DOJ indictments, Mandiant reports, Microsoft Threat Intelligence, and vendor blogs.

Somewhere around what felt like my twentieth browser tab, I realized I wasn’t actually researching Scattered Spider anymore. I was trying to understand an entire ecosystem. That’s when I decided to write this article. Not because I had all the answers, but because I wanted one place that connected the pieces in a way that made sense, both for myself and for anyone else following the same trail.

The first tab in that trail was Group-IB’s Connecting Scattered Spider: Defining a Cybercrime Collective Through Shared TTPs, published on 7 July 2026. Their work sparked this investigation and everything that follows. It clarified the relationship between 0ktapus and the collection of activity the industry calls Scattered Spider, while showing how difficult it is to draw a clean boundary around a collective assembled from shared behaviour. 1

At first, I assumed the growing list was simply a naming problem. Every intelligence company has its own taxonomy, after all. But the more reports I opened, the less the confusion looked like a vocabulary issue. The labels were pointing to different things: some to intrusion clusters, some to self-selected brands, some to temporary alliances, and one to the environment from which many of them emerged. The useful material was scattered (no pun intended) across years of reporting. I kept rebuilding the same map just to follow the next source. This article is my attempt to keep that map in one place.

Dozens of tabs. One question.

What started as a simple search about Scattered Spider turned into a much wider trail through reports, advisories, indictments, interviews, and threat research from across the industry. At one point, my browser looked like this.

22
Sources cited
1
Starting question
Rabbit holes
Google
Who is Scattered Spider?

Investigation timeline

How one question became an ecosystem map

  1. 01
    Read Group-IB’s Scattered Spider report.

    The original question was simple: who was this group?

  2. 02
    Opened Microsoft and Mandiant.

    UNC3944, Octo Tempest, Muddled Libra, and 0ktapus entered the notes.

  3. 03
    Followed the adjacent names.

    ShinyHunters, LAPSUS$, UNC6040, UNC6240, DEV-0537, and Strawberry Tempest made the map larger.

  4. 04
    Found repeated references to The Com.

    The problem stopped looking like aliases and started looking like an ecosystem.

  5. 05
    Started consolidating the public record.

    The article became the guide I wanted while trying to follow the same trail.

Act 02 / Three actors, considered separately

Three names. Three histories. No shortcuts.

Similarity is not identity. I treated each actor as its own case before looking for a common context.

At this point, I thought I was finally getting somewhere. Surely if I understood Scattered Spider, the rest of the aliases would start making sense. Instead, I found myself opening even more tabs.

Actor profile 01

Scattered Spider

Cluster well established

Working definition

A financially motivated, predominantly English-speaking intrusion cluster known for social engineering, identity compromise, data theft, extortion, and ransomware deployment in some operations.

Active
Since at least May 2022
Primary edge
Human trust and identity workflows
Vendor labels
UNC3944, Octo Tempest, Muddled Libra
Earlier activity
0ktapus / Scatter Swine overlap

Scattered Spider became globally visible through high-impact intrusions, but its distinguishing feature is not a malware family. It is the ability to make a compromised identity look like a normal employee. Microsoft describes Octo Tempest as a native-English-speaking, financially motivated collective that uses adversary-in-the-middle phishing, social engineering, and SIM swapping. Mandiant’s UNC3944 reporting describes the same evolution from credential theft and SIM-swapping support toward ransomware and data-theft extortion. 56

The technique is often disarmingly direct: research an employee, call the help desk, persuade support staff to reset a password or enrol a new MFA method, then operate through valid accounts. In later campaigns, the cluster moved through SaaS applications and virtualization infrastructure using legitimate administrative tooling. These are precisely the places where endpoint-centric visibility weakens. 7

VishingSmishingSIM swappingMFA resetValid accountsCloud / SaaS abuseData extortion

Once UNC3944, Octo Tempest, and Muddled Libra lined up, I briefly thought I had solved the naming problem. Then I reached ShinyHunters, where the name itself seemed to move between actors, operations, and extortion branding.

Actor profile 02

ShinyHunters

Brand boundary is fluid

Working definition

A long-running data-theft and extortion brand. Recent reporting treats “ShinyHunters” less as one immutable crew and more as a name used across several related or cooperating activity clusters.

Public emergence
2020
Historic model
Database theft and sale
Recent model
SaaS data theft and extortion
Mandiant split
UNC6040 intrusion / UNC6240 extortion

ShinyHunters first built its reputation through stolen databases and breach-forum visibility. Unit 42 tracks the historical actor as Bling Libra and describes a shift from selling stolen data toward directly extorting victims and targeting cloud environments. The name has therefore functioned as both an actor label and a market-facing brand. 11

The 2025 Salesforce campaign shows why that distinction matters. Google tracked voice-phishing and data theft as UNC6040, but the later extortion activity as UNC6240; the latter repeatedly claimed the ShinyHunters name. By 2026, GTIG was tracking additional clusters around ShinyHunters-branded SaaS theft to preserve the possibility of changing partnerships or impersonation. A shared brand is evidence. It is not, by itself, proof of one operator set. 1012

Credential accessCloud data theftSalesforce abuseBulk exfiltrationLeak-site pressureExtortion

By the time I reached LAPSUS$, I had learned not to treat familiar techniques as proof of a shared group. The resemblance was real. The boundary was real too.

Actor profile 03

LAPSUS$

Distinct group / aliases established

Working definition

A high-velocity extortion group known for social engineering, insider recruitment, data theft, public spectacle, and destructive actions without depending on ransomware encryption.

Active
Since at least mid-2021
Microsoft
Previously DEV-0537; now Strawberry Tempest
MITRE ATT&CK
G1004
Monetization
Pure extortion and destruction

LAPSUS$ behaved differently from the quiet, access-preserving model associated with many established intrusion groups. It announced breaches, recruited insiders openly, entered incident-response communications, and used stolen access for data theft and disruption. Microsoft’s 2022 profile called out phone-based social engineering, SIM swapping, MFA fatigue, and attempts to convince help desks to reset privileged credentials. 8

Here the alias mapping is comparatively clean: Microsoft’s DEV-0537 became Strawberry Tempest after the company’s taxonomy change, while MITRE records both as associated names for LAPSUS$. That does not make LAPSUS$ another name for Scattered Spider. It makes it a separate group with an uncomfortably familiar set of methods. 9

Insider recruitmentSIM swappingMFA fatigueHelp-desk abuseCloud privilegePublic extortion

Act 03 / The name behind the names

Then one term changed the shape of the investigation.

I had been looking for an organization chart. The evidence was describing a social environment.

THE COM

The name had been sitting in side references and background paragraphs for several tabs. When I finally stopped treating it as another threat actor and read it as a description of the surrounding community, the rest of the notes began to fit.

The FBI defines The Com, short for The Community, as a primarily English-speaking, international online ecosystem made up of multiple interconnected networks, many of whose members are minors. That definition did more than introduce another actor. It supplied the missing level of abstraction. 2

That public understanding owes a great deal to Allison Nixon, chief research officer at Unit 221B. She began tracking members of these communities more than a decade ago, when their age led many people to dismiss them. MIT Technology Review reported that FBI special agent Ryan Brogan credited her with helping identify and arrest more than 20 community members since 2011. Her public explanation of The Com as an English-speaking youth subculture, with Scattered Spider as one offshoot, also helped establish the ecosystem framing I use here. This is another part of the public record I am consolidating, not a framing I developed myself. 202122

The term also has deeper roots than the recent reporting cycle. In May 2019, the US Department of Justice charged members of a SIM-hijacking group “known to its members as The Community.” This is the earliest clear public official anchor I found. It suggests the underlying name came from inside the community before researchers and law enforcement popularised the shorter “Com.” 3

Suddenly, the alias problem looked different. The Com was not one more box beside Scattered Spider, LAPSUS$, and ShinyHunters. It was the space around the boxes: the channels, forums, friendships, rivalries, services, reputation, and recruitment pools that allow crews to form, split, borrow names, and recombine.

Relationship map 01

Ecosystem, clusters, brands, and vendor labels

Not an organisation chart
flowchart TD
  COM["THE COM
ecosystem / subculture"] HC["Hacker Com
cybercriminal subset"] IRL["IRL Com
physical-world harm"] EXT["Extortion Com
coercion / abuse"] SS["Scattered Spider
operational cluster"] LAP["LAPSUS$
group / brand"] SH["ShinyHunters
actor / brand"] U3944["UNC3944"] OCTO["Octo Tempest"] MUD["Muddled Libra"] DEV["DEV-0537"] STRAW["Strawberry Tempest"] U6040["UNC6040
intrusion"] U6240["UNC6240
extortion"] SLSH["Scattered LAPSUS$ Hunters
three-brand alliance"] COM --> HC COM --> IRL COM --> EXT HC --> SS HC -. "cultural / personnel overlap" .-> LAP HC -. "cultural / brand overlap" .-> SH SS === U3944 SS === OCTO SS === MUD LAP === DEV LAP === STRAW U6040 -->|"intrusion precedes"| U6240 U6240 -->|"claims brand"| SH SS -. "branding" .-> SLSH LAP -. "branding" .-> SLSH SH -. "branding" .-> SLSH classDef ecosystem fill:#111111,stroke:#111111,color:#ffffff; classDef cluster fill:#ffffff,stroke:#777777,color:#111111; classDef alias fill:#f5f5f5,stroke:#aaaaaa,color:#333333; classDef brand fill:#ffffff,stroke:#111111,color:#111111; class COM ecosystem; class HC,IRL,EXT,SS cluster; class U3944,OCTO,MUD,DEV,STRAW,U6040,U6240 alias; class LAP,SH,SLSH brand;
Solid heavy links indicate established alias relationships; dotted links indicate overlap or branding that should not be read as actor equivalence.
Confirmed

Alias equivalence

Scattered Spider aligns with UNC3944, Octo Tempest, and Muddled Libra in current public reporting. LAPSUS$ aligns with DEV-0537 and Strawberry Tempest.

Likely

Ecosystem membership

Scattered Spider is best understood as a Hacker Com cluster. LAPSUS$ and ShinyHunters have strong cultural, tradecraft, and later branding overlap with the wider ecosystem.

Suspected

Operator overlap

Public reporting suggests that individuals, services, or access brokers move across these boundaries, but the available evidence is incomplete and does not support treating all historical activity as one operator set.

Unknown

Stable membership

No reliable public roster exists. Handles change, claims can be false, and a familiar brand may be borrowed by a different crew.

Act 04 / Inside The Com

An ecosystem held together by access, attention, and belonging.

There is no headquarters to map. The structure is social, modular, and constantly renegotiated.

Calling The Com an ecosystem is not evasive language. It is a more accurate description of how it behaves. Members collaborate, recruit, splinter, and regroup. Technical specialisation can be borrowed. A person with social-engineering skill can work with someone who has access, infrastructure, stolen data, or an extortion channel. The unit of analysis changes from “the gang” to the relationship.

The population is disproportionately young. Law-enforcement reporting repeatedly describes minors and young adults, while research on youth pathways into cybercrime identifies gaming communities, peer recognition, and online social networks as common routes into offending. That does not make the activity amateur. It helps explain why fluency in English, workplace culture, social platforms, and status games can matter as much as exploit development. 217

01

Hacker Com

Access becomes currency.

SIM swapping, credential theft, phishing, malware, ransomware affiliation, account takeover, data theft, and the sale of access. This is the subset most relevant to the actor clusters in this report.

02

IRL Com

Online conflict crosses the screen.

Doxxing, threats, stalking, swatting, burglary, arson, assault, and other forms of real-world coercion or violence-for-hire documented by law enforcement.

03

Extortion Com

Control is the product.

Coercive abuse, sextortion, psychological manipulation, and violent online harm, often directed at minors. Terminology varies; the boundaries with IRL Com are porous.

Once I stopped trying to force the ecosystem into an organisation chart, the apparent contradictions became easier to understand. People could share channels, services, skills, or reputation without belonging to one permanent crew. A name could describe a stable group, a temporary alliance, or simply the banner used for one extortion campaign.

It also changed how I understood recruitment. The reporting did not describe a formal application process. It described social movement: meeting people, learning techniques, trading access, building a reputation, and finding collaborators with complementary skills. The path is uneven, and many people in gaming or online communities never move toward crime at all.

That distinction matters for the next diagram. It is a possible path through the ecosystem, not a pipeline and not a claim that any platform or community causes offending.

Ecosystem map 02

How people can move deeper into the ecosystem

One possible path, not a fixed progression
flowchart LR
  A["Gaming, social and
messaging platforms"] --> B["Peer groups
and belonging"] B --> C["Handle trading,
fraud and SIM swaps"] C --> D["Reputation through
access and results"] D --> E["Specialist crews
and temporary alliances"] E --> F["Enterprise intrusion,
data theft and extortion"] F -. "money / visibility" .-> D D -. "recruitment" .-> B classDef start fill:#ffffff,stroke:#999999,color:#111111; classDef middle fill:#f5f5f5,stroke:#777777,color:#111111; classDef terminal fill:#111111,stroke:#111111,color:#ffffff; class A,B start; class C,D,E middle; class F terminal;
This shows one possible path described in public reporting. It does not suggest that gaming or online communities cause criminal behaviour.

Incident chronology

From SIM hijacking to identity-scale extortion

The dates show an evolution of opportunity, not a single group’s uninterrupted campaign.

  1. “The Community” enters a public court record.

    DOJ charges describe a SIM-hijacking group using the name internally to steal cryptocurrency.

    Confirmed
  2. ShinyHunters emerges as a breach-and-sale identity.

    Stolen databases and forum reputation establish the name before its later shift toward direct extortion.

    High
  3. LAPSUS$ turns social engineering into spectacle.

    Data theft, insider solicitation, MFA abuse, and public extortion demonstrate the power of identity-first intrusion.

    Confirmed
  4. 0ktapus harvests 9,931 credentials.

    Group-IB identifies 136 affected organisations and 5,441 captured MFA codes across a campaign aimed at Okta identities.

    Confirmed
  5. Scattered Spider moves into ransomware and extortion.

    High-impact hospitality intrusions make help-desk vishing and hybrid identity compromise board-level concerns.

    High
  6. The focus moves deeper into SaaS and cloud administration.

    UNC3944 reporting documents data theft, SaaS permission abuse, cloud storage, and virtualization persistence.

    Confirmed
  7. Salesforce vishing separates intrusion from extortion.

    GTIG tracks UNC6040 for access and theft, and UNC6240 for later ShinyHunters-branded extortion.

    Confirmed
  8. A three-brand alliance makes attribution harder.

    Scattered LAPSUS$ Hunters publicly combines legacy names while vendors continue tracking the underlying clusters separately.

    Likely

Act 05 / Relationship evidence

What is connected, and what only appears connected.

The strongest map is not the one with the most lines. It is the one that tells you why each line exists.

By this point, I had stopped asking who Scattered Spider was. I was asking why the same names kept appearing together, and which of those connections the public evidence could actually support. My notes stopped looking like a reading list and started looking like lines with footnotes.

Interactive exhibit 01

Relationship explorer

Select a confidence level, then select a node to inspect the evidence. Position indicates analytic category, not command or hierarchy.

How to read this

Heavy solid lines are alias or direct definitional relationships. Dashed lines indicate ecosystem, tradecraft, or branding overlap. They do not assert the same operators.

I kept wanting the map to resolve into one clean answer. It never did. Some relationships were straightforward alias mappings. Others were shared branding, cooperation, or an assessment based on repeated overlap.

The difference is important. Saying that UNC3944 and Octo Tempest describe the same broad activity set is not the same kind of claim as saying that people tied to three familiar brands later worked under the SLSH name.

The table below is deliberately conservative. Each row records the relationship, the public basis for it, and the conclusion that the evidence does not allow me to make.

Relationship evidence: claim, public basis, and limits
ConfidenceRelationshipPublic basisWhat it does not prove
ConfirmedScattered SpiderVendor labelsUNC3944 · Octo Tempest · Muddled LibraDirect vendor and MITRE alias mapping; sustained TTP and activity overlap.That every operation attributed under every name has identical membership.
ConfirmedLAPSUS$Associated namesDEV-0537 · Strawberry TempestMicrosoft taxonomy update and MITRE associated-group mapping.That LAPSUS$ is another name for Scattered Spider.
Confirmed
UNC6040Initial intrusion followed byUNC6240Extortion activity
GTIG separated the Salesforce access/theft activity from subsequent ShinyHunters-branded extortion.That UNC6040 and UNC6240 are necessarily the same operators.
LikelyScattered Spider within Hacker ComFBI ecosystem model plus vendor reporting tying Muddled Libra/Scattered Spider to The Com channels.A formal parent-child organisation or central direction.
LikelySLSH as a three-brand allianceCombined branding, public channels, leak-site activity, and Unit 42's assessment of individuals tied to Scattered Spider, LAPSUS$, and ShinyHunters.A permanent merger of every historical member and operation.
SuspectedPersonnel and service overlap across brandsShared communities, access pathways, reputation markets, public cases, and evolving partnerships.A stable, knowable public membership roster.
UnknownAttribution of self-claimed incidentsTelegram posts, leak-site claims, or possession of sample data.Who performed initial access, who stole data, or whether a claim is truthful.

Attack flow 03

The recurring identity-first intrusion chain

Composite from observed campaigns
flowchart TB
  subgraph ENTRY["Phase 1: Establish access"]
    direction LR
    R["Recon
Employees, vendors, workflows"] --> C["Contact
Vishing, smishing, impersonation"] C --> I["Identity change
Password or MFA reset"] I --> V["Valid account
Trusted session established"] end subgraph ACCESS["Phase 2: Use access"] direction LR S["SaaS / cloud pivot
SSO, connected apps, admin tools"] --> X["Data access
Discovery and bulk export"] X --> M{"Monetisation"} M --> O["Outcomes
Pure extortion · Ransomware / disruption
Fraud / onward access"] end ENTRY -->|"then"| ACCESS classDef human fill:#ffffff,stroke:#999999,color:#111111; classDef identity fill:#e5e5e5,stroke:#777777,color:#111111; classDef access fill:#f5f5f5,stroke:#777777,color:#111111; classDef outcome fill:#111111,stroke:#111111,color:#ffffff; class R,C human; class I,V identity; class S,X,M access; class O outcome; style ENTRY fill:#fafafa,stroke:#d8d8d8,color:#666666; style ACCESS fill:#fafafa,stroke:#d8d8d8,color:#666666;
The recurring advantage is not a specific payload. It is the conversion of human trust into a legitimate-looking session.

MITRE ATT&CK mapping

Techniques that survive the rebrand

Representative rather than exhaustive; mappings vary by cluster and campaign.

Act 06 / Assessment

The malware was never the most important part.

My final assessment is less about who owns which name and more about what these actors understood early.

After spending so long untangling the names, I expected the final lesson to be about attribution. Instead, I kept returning to something simpler: how consistently these actors turned ordinary trust, support processes, and valid identities into access.

01

High-confidence assessment

Identity-first attacks win on economics.

A convincing call can be cheaper, faster, and more reusable than exploit development. Once the actor controls a valid session, legitimate administration becomes the intrusion path. That reduces reliance on novel malware and weakens controls designed around executable payloads.

02

High-confidence assessment

Social engineering is a technical capability.

Reconnaissance, pretext construction, timing, knowledge of support workflows, and the ability to imitate an employee’s language are repeatable tradecraft. Treating the call as “just user error” misses the operator skill and the process weakness being exploited.

03

High-confidence assessment

Younger communities organise around networks, not firms.

Fluid handles, public channels, rapid rebranding, borrowed tools, and peer status create a structure closer to an online scene or gig economy than a traditional hierarchy. Arrests matter, but there may be no single leadership layer to decapitate.

04

Moderate-confidence assessment

The Com may be a generational shift.

It combines English-language social fluency, gaming-era communities, cloud-native targets, data-theft extortion, and physical coercion in parts of the ecosystem. The model is durable even if today’s brand names are not.

Closing assessment

I started with a group name. I ended with a different unit of analysis: an ecosystem that can produce groups, trade names, temporary alliances, and copycats faster than our labels can settle.

Scattered Spider is one of its clearest expressions, not its synonym. LAPSUS$ and ShinyHunters are related parts of the story, not interchangeable chapters. The useful lesson is not to memorise the latest alias. It is to understand the social and technical conditions that make the next alias possible.

Looking back, I am glad I never found a simple answer to my original question. Had I stopped after understanding Scattered Spider, I would probably have missed the larger story surrounding it. This project reminded me that threat intelligence is not only about tracking individual groups. It is also about understanding the communities, relationships, and conditions from which those groups emerge. As my first independent CTI research project, I hope this becomes a useful starting point for someone else opening that first browser tab.

Methodology

How I handled confidence

Confirmed

Directly supported by official records, vendor attribution, or explicit alias mapping.

Likely

Supported by multiple credible observations, with a remaining analytic inference.

Suspected

Plausible overlap with incomplete public evidence or contested cluster boundaries.

Unknown

Not established from the public material reviewed, or dependent on unverified claims.

Sources were prioritised in this order: law-enforcement and court records; first-party threat-intelligence reporting; MITRE ATT&CK; reputable secondary reporting. Self-claims were treated as claims, not attribution. No finding below is presented as my original discovery; my role was to consolidate, compare, and assess the available record. This report is current through 12 July 2026 and will age.

References

Sources and acknowledgements

This report exists because other people did the difficult work first. The list below includes the public sources used in this article and acknowledges the researchers, responders, investigators, journalists, and public agencies whose reporting made this consolidation possible. Dates shown are publication or latest-update dates where available.

  1. 01
  2. 02
  3. 03
  4. 04
  5. 05
  6. 06
    Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

    Google Threat Intelligence Group / Mandiant · 6 May 2025

  7. 07
    Scattered Spider (Group G1015)

    MITRE ATT&CK · actor and technique mapping

  8. 08
  9. 09
    LAPSUS$ (Group G1004)

    MITRE ATT&CK · updated 21 April 2025

  10. 10
    The Cost of a Call: From Voice Phishing to Data Extortion

    Google Threat Intelligence Group · 4 June 2025

  11. 11
  12. 12
    Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

    Google Threat Intelligence Group · January 2026

  13. 13
    Threat Group Assessment: Muddled Libra

    Palo Alto Networks Unit 42 · updated 16 May 2025

  14. 14
    Scattered Spider Cybersecurity Advisory AA23-320A

    CISA, FBI, ACSC, CCCS, NCSC-UK · updated 29 July 2025

  15. 15
  16. 16
    Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

    Google Threat Intelligence Group · 26 August 2025

  17. 17
  18. 18
    The Golden Scale: Bling Libra and the Evolving Extortion Economy

    Palo Alto Networks Unit 42 · 10 October 2025

  19. 19
  20. 20
  21. 21
  22. 22