Act 01 / The first thread
I only wanted to understand one group.
The investigation did not begin with The Com. It began with a browser tab and a much smaller question.
I didn’t start this research intending to write about The Com. I simply wanted to understand who Scattered Spider was after reading Group-IB’s report. But every answer seemed to introduce another name: LAPSUS$, ShinyHunters, UNC3944, Octo Tempest, UNC6040, UNC6240. Before long, I had dozens of tabs open across FBI advisories, DOJ indictments, Mandiant reports, Microsoft Threat Intelligence, and vendor blogs.
Somewhere around what felt like my twentieth browser tab, I realized I wasn’t actually researching Scattered Spider anymore. I was trying to understand an entire ecosystem. That’s when I decided to write this article. Not because I had all the answers, but because I wanted one place that connected the pieces in a way that made sense, both for myself and for anyone else following the same trail.
The first tab in that trail was Group-IB’s Connecting Scattered Spider: Defining a Cybercrime Collective Through Shared TTPs, published on 7 July 2026. Their work sparked this investigation and everything that follows. It clarified the relationship between 0ktapus and the collection of activity the industry calls Scattered Spider, while showing how difficult it is to draw a clean boundary around a collective assembled from shared behaviour. 1
At first, I assumed the growing list was simply a naming problem. Every intelligence company has its own taxonomy, after all. But the more reports I opened, the less the confusion looked like a vocabulary issue. The labels were pointing to different things: some to intrusion clusters, some to self-selected brands, some to temporary alliances, and one to the environment from which many of them emerged. The useful material was scattered (no pun intended) across years of reporting. I kept rebuilding the same map just to follow the next source. This article is my attempt to keep that map in one place.
Dozens of tabs. One question.
What started as a simple search about Scattered Spider turned into a much wider trail through reports, advisories, indictments, interviews, and threat research from across the industry. At one point, my browser looked like this.
- 22
- Sources cited
- 1
- Starting question
- ∞
- Rabbit holes
Investigation timeline
How one question became an ecosystem map
- 01Read Group-IB’s Scattered Spider report.
The original question was simple: who was this group?
- 02Opened Microsoft and Mandiant.
UNC3944, Octo Tempest, Muddled Libra, and 0ktapus entered the notes.
- 03Followed the adjacent names.
ShinyHunters, LAPSUS$, UNC6040, UNC6240, DEV-0537, and Strawberry Tempest made the map larger.
- 04Found repeated references to The Com.
The problem stopped looking like aliases and started looking like an ecosystem.
- 05Started consolidating the public record.
The article became the guide I wanted while trying to follow the same trail.
Act 02 / Three actors, considered separately
Three names. Three histories. No shortcuts.
Similarity is not identity. I treated each actor as its own case before looking for a common context.
At this point, I thought I was finally getting somewhere. Surely if I understood Scattered Spider, the rest of the aliases would start making sense. Instead, I found myself opening even more tabs.
Actor profile 01
Scattered Spider
Working definition
A financially motivated, predominantly English-speaking intrusion cluster known for social engineering, identity compromise, data theft, extortion, and ransomware deployment in some operations.
- Active
- Since at least May 2022
- Primary edge
- Human trust and identity workflows
- Vendor labels
- UNC3944, Octo Tempest, Muddled Libra
- Earlier activity
- 0ktapus / Scatter Swine overlap
Scattered Spider became globally visible through high-impact intrusions, but its distinguishing feature is not a malware family. It is the ability to make a compromised identity look like a normal employee. Microsoft describes Octo Tempest as a native-English-speaking, financially motivated collective that uses adversary-in-the-middle phishing, social engineering, and SIM swapping. Mandiant’s UNC3944 reporting describes the same evolution from credential theft and SIM-swapping support toward ransomware and data-theft extortion. 56
The technique is often disarmingly direct: research an employee, call the help desk, persuade support staff to reset a password or enrol a new MFA method, then operate through valid accounts. In later campaigns, the cluster moved through SaaS applications and virtualization infrastructure using legitimate administrative tooling. These are precisely the places where endpoint-centric visibility weakens. 7
Once UNC3944, Octo Tempest, and Muddled Libra lined up, I briefly thought I had solved the naming problem. Then I reached ShinyHunters, where the name itself seemed to move between actors, operations, and extortion branding.
Actor profile 02
ShinyHunters
Working definition
A long-running data-theft and extortion brand. Recent reporting treats “ShinyHunters” less as one immutable crew and more as a name used across several related or cooperating activity clusters.
- Public emergence
- 2020
- Historic model
- Database theft and sale
- Recent model
- SaaS data theft and extortion
- Mandiant split
- UNC6040 intrusion / UNC6240 extortion
ShinyHunters first built its reputation through stolen databases and breach-forum visibility. Unit 42 tracks the historical actor as Bling Libra and describes a shift from selling stolen data toward directly extorting victims and targeting cloud environments. The name has therefore functioned as both an actor label and a market-facing brand. 11
The 2025 Salesforce campaign shows why that distinction matters. Google tracked voice-phishing and data theft as UNC6040, but the later extortion activity as UNC6240; the latter repeatedly claimed the ShinyHunters name. By 2026, GTIG was tracking additional clusters around ShinyHunters-branded SaaS theft to preserve the possibility of changing partnerships or impersonation. A shared brand is evidence. It is not, by itself, proof of one operator set. 1012
By the time I reached LAPSUS$, I had learned not to treat familiar techniques as proof of a shared group. The resemblance was real. The boundary was real too.
Actor profile 03
LAPSUS$
Working definition
A high-velocity extortion group known for social engineering, insider recruitment, data theft, public spectacle, and destructive actions without depending on ransomware encryption.
- Active
- Since at least mid-2021
- Microsoft
- Previously DEV-0537; now Strawberry Tempest
- MITRE ATT&CK
- G1004
- Monetization
- Pure extortion and destruction
LAPSUS$ behaved differently from the quiet, access-preserving model associated with many established intrusion groups. It announced breaches, recruited insiders openly, entered incident-response communications, and used stolen access for data theft and disruption. Microsoft’s 2022 profile called out phone-based social engineering, SIM swapping, MFA fatigue, and attempts to convince help desks to reset privileged credentials. 8
Here the alias mapping is comparatively clean: Microsoft’s DEV-0537 became Strawberry Tempest after the company’s taxonomy change, while MITRE records both as associated names for LAPSUS$. That does not make LAPSUS$ another name for Scattered Spider. It makes it a separate group with an uncomfortably familiar set of methods. 9
Act 03 / The name behind the names
Then one term changed the shape of the investigation.
I had been looking for an organization chart. The evidence was describing a social environment.
The name had been sitting in side references and background paragraphs for several tabs. When I finally stopped treating it as another threat actor and read it as a description of the surrounding community, the rest of the notes began to fit.
The FBI defines The Com, short for The Community, as a primarily English-speaking, international online ecosystem made up of multiple interconnected networks, many of whose members are minors. That definition did more than introduce another actor. It supplied the missing level of abstraction. 2
That public understanding owes a great deal to Allison Nixon, chief research officer at Unit 221B. She began tracking members of these communities more than a decade ago, when their age led many people to dismiss them. MIT Technology Review reported that FBI special agent Ryan Brogan credited her with helping identify and arrest more than 20 community members since 2011. Her public explanation of The Com as an English-speaking youth subculture, with Scattered Spider as one offshoot, also helped establish the ecosystem framing I use here. This is another part of the public record I am consolidating, not a framing I developed myself. 202122
The term also has deeper roots than the recent reporting cycle. In May 2019, the US Department of Justice charged members of a SIM-hijacking group “known to its members as The Community.” This is the earliest clear public official anchor I found. It suggests the underlying name came from inside the community before researchers and law enforcement popularised the shorter “Com.” 3
Suddenly, the alias problem looked different. The Com was not one more box beside Scattered Spider, LAPSUS$, and ShinyHunters. It was the space around the boxes: the channels, forums, friendships, rivalries, services, reputation, and recruitment pools that allow crews to form, split, borrow names, and recombine.
Relationship map 01
Ecosystem, clusters, brands, and vendor labels
flowchart TD COM["THE COM
ecosystem / subculture"] HC["Hacker Com
cybercriminal subset"] IRL["IRL Com
physical-world harm"] EXT["Extortion Com
coercion / abuse"] SS["Scattered Spider
operational cluster"] LAP["LAPSUS$
group / brand"] SH["ShinyHunters
actor / brand"] U3944["UNC3944"] OCTO["Octo Tempest"] MUD["Muddled Libra"] DEV["DEV-0537"] STRAW["Strawberry Tempest"] U6040["UNC6040
intrusion"] U6240["UNC6240
extortion"] SLSH["Scattered LAPSUS$ Hunters
three-brand alliance"] COM --> HC COM --> IRL COM --> EXT HC --> SS HC -. "cultural / personnel overlap" .-> LAP HC -. "cultural / brand overlap" .-> SH SS === U3944 SS === OCTO SS === MUD LAP === DEV LAP === STRAW U6040 -->|"intrusion precedes"| U6240 U6240 -->|"claims brand"| SH SS -. "branding" .-> SLSH LAP -. "branding" .-> SLSH SH -. "branding" .-> SLSH classDef ecosystem fill:#111111,stroke:#111111,color:#ffffff; classDef cluster fill:#ffffff,stroke:#777777,color:#111111; classDef alias fill:#f5f5f5,stroke:#aaaaaa,color:#333333; classDef brand fill:#ffffff,stroke:#111111,color:#111111; class COM ecosystem; class HC,IRL,EXT,SS cluster; class U3944,OCTO,MUD,DEV,STRAW,U6040,U6240 alias; class LAP,SH,SLSH brand;
Alias equivalence
Scattered Spider aligns with UNC3944, Octo Tempest, and Muddled Libra in current public reporting. LAPSUS$ aligns with DEV-0537 and Strawberry Tempest.
Ecosystem membership
Scattered Spider is best understood as a Hacker Com cluster. LAPSUS$ and ShinyHunters have strong cultural, tradecraft, and later branding overlap with the wider ecosystem.
Operator overlap
Public reporting suggests that individuals, services, or access brokers move across these boundaries, but the available evidence is incomplete and does not support treating all historical activity as one operator set.
Stable membership
No reliable public roster exists. Handles change, claims can be false, and a familiar brand may be borrowed by a different crew.
Act 04 / Inside The Com
An ecosystem held together by access, attention, and belonging.
There is no headquarters to map. The structure is social, modular, and constantly renegotiated.
Calling The Com an ecosystem is not evasive language. It is a more accurate description of how it behaves. Members collaborate, recruit, splinter, and regroup. Technical specialisation can be borrowed. A person with social-engineering skill can work with someone who has access, infrastructure, stolen data, or an extortion channel. The unit of analysis changes from “the gang” to the relationship.
The population is disproportionately young. Law-enforcement reporting repeatedly describes minors and young adults, while research on youth pathways into cybercrime identifies gaming communities, peer recognition, and online social networks as common routes into offending. That does not make the activity amateur. It helps explain why fluency in English, workplace culture, social platforms, and status games can matter as much as exploit development. 217
Hacker Com
Access becomes currency.
SIM swapping, credential theft, phishing, malware, ransomware affiliation, account takeover, data theft, and the sale of access. This is the subset most relevant to the actor clusters in this report.
IRL Com
Online conflict crosses the screen.
Doxxing, threats, stalking, swatting, burglary, arson, assault, and other forms of real-world coercion or violence-for-hire documented by law enforcement.
Extortion Com
Control is the product.
Coercive abuse, sextortion, psychological manipulation, and violent online harm, often directed at minors. Terminology varies; the boundaries with IRL Com are porous.
Once I stopped trying to force the ecosystem into an organisation chart, the apparent contradictions became easier to understand. People could share channels, services, skills, or reputation without belonging to one permanent crew. A name could describe a stable group, a temporary alliance, or simply the banner used for one extortion campaign.
It also changed how I understood recruitment. The reporting did not describe a formal application process. It described social movement: meeting people, learning techniques, trading access, building a reputation, and finding collaborators with complementary skills. The path is uneven, and many people in gaming or online communities never move toward crime at all.
That distinction matters for the next diagram. It is a possible path through the ecosystem, not a pipeline and not a claim that any platform or community causes offending.
Ecosystem map 02
How people can move deeper into the ecosystem
flowchart LR A["Gaming, social and
messaging platforms"] --> B["Peer groups
and belonging"] B --> C["Handle trading,
fraud and SIM swaps"] C --> D["Reputation through
access and results"] D --> E["Specialist crews
and temporary alliances"] E --> F["Enterprise intrusion,
data theft and extortion"] F -. "money / visibility" .-> D D -. "recruitment" .-> B classDef start fill:#ffffff,stroke:#999999,color:#111111; classDef middle fill:#f5f5f5,stroke:#777777,color:#111111; classDef terminal fill:#111111,stroke:#111111,color:#ffffff; class A,B start; class C,D,E middle; class F terminal;
Incident chronology
From SIM hijacking to identity-scale extortion
The dates show an evolution of opportunity, not a single group’s uninterrupted campaign.
- “The Community” enters a public court record.Confirmed
DOJ charges describe a SIM-hijacking group using the name internally to steal cryptocurrency.
- ShinyHunters emerges as a breach-and-sale identity.High
Stolen databases and forum reputation establish the name before its later shift toward direct extortion.
- LAPSUS$ turns social engineering into spectacle.Confirmed
Data theft, insider solicitation, MFA abuse, and public extortion demonstrate the power of identity-first intrusion.
- 0ktapus harvests 9,931 credentials.Confirmed
Group-IB identifies 136 affected organisations and 5,441 captured MFA codes across a campaign aimed at Okta identities.
- Scattered Spider moves into ransomware and extortion.High
High-impact hospitality intrusions make help-desk vishing and hybrid identity compromise board-level concerns.
- The focus moves deeper into SaaS and cloud administration.Confirmed
UNC3944 reporting documents data theft, SaaS permission abuse, cloud storage, and virtualization persistence.
- Salesforce vishing separates intrusion from extortion.Confirmed
GTIG tracks UNC6040 for access and theft, and UNC6240 for later ShinyHunters-branded extortion.
- A three-brand alliance makes attribution harder.Likely
Scattered LAPSUS$ Hunters publicly combines legacy names while vendors continue tracking the underlying clusters separately.
Act 05 / Relationship evidence
What is connected, and what only appears connected.
The strongest map is not the one with the most lines. It is the one that tells you why each line exists.
By this point, I had stopped asking who Scattered Spider was. I was asking why the same names kept appearing together, and which of those connections the public evidence could actually support. My notes stopped looking like a reading list and started looking like lines with footnotes.
Interactive exhibit 01
Relationship explorer
Select a confidence level, then select a node to inspect the evidence. Position indicates analytic category, not command or hierarchy.
Heavy solid lines are alias or direct definitional relationships. Dashed lines indicate ecosystem, tradecraft, or branding overlap. They do not assert the same operators.
I kept wanting the map to resolve into one clean answer. It never did. Some relationships were straightforward alias mappings. Others were shared branding, cooperation, or an assessment based on repeated overlap.
The difference is important. Saying that UNC3944 and Octo Tempest describe the same broad activity set is not the same kind of claim as saying that people tied to three familiar brands later worked under the SLSH name.
The table below is deliberately conservative. Each row records the relationship, the public basis for it, and the conclusion that the evidence does not allow me to make.
| Confidence | Relationship | Public basis | What it does not prove |
|---|---|---|---|
| Confirmed | Scattered SpiderVendor labelsUNC3944 · Octo Tempest · Muddled Libra | Direct vendor and MITRE alias mapping; sustained TTP and activity overlap. | That every operation attributed under every name has identical membership. |
| Confirmed | LAPSUS$Associated namesDEV-0537 · Strawberry Tempest | Microsoft taxonomy update and MITRE associated-group mapping. | That LAPSUS$ is another name for Scattered Spider. |
| Confirmed | UNC6040Initial intrusion↓ followed byUNC6240Extortion activity | GTIG separated the Salesforce access/theft activity from subsequent ShinyHunters-branded extortion. | That UNC6040 and UNC6240 are necessarily the same operators. |
| Likely | Scattered Spider within Hacker Com | FBI ecosystem model plus vendor reporting tying Muddled Libra/Scattered Spider to The Com channels. | A formal parent-child organisation or central direction. |
| Likely | SLSH as a three-brand alliance | Combined branding, public channels, leak-site activity, and Unit 42's assessment of individuals tied to Scattered Spider, LAPSUS$, and ShinyHunters. | A permanent merger of every historical member and operation. |
| Suspected | Personnel and service overlap across brands | Shared communities, access pathways, reputation markets, public cases, and evolving partnerships. | A stable, knowable public membership roster. |
| Unknown | Attribution of self-claimed incidents | Telegram posts, leak-site claims, or possession of sample data. | Who performed initial access, who stole data, or whether a claim is truthful. |
Attack flow 03
The recurring identity-first intrusion chain
flowchart TB
subgraph ENTRY["Phase 1: Establish access"]
direction LR
R["Recon
Employees, vendors, workflows"] --> C["Contact
Vishing, smishing, impersonation"]
C --> I["Identity change
Password or MFA reset"]
I --> V["Valid account
Trusted session established"]
end
subgraph ACCESS["Phase 2: Use access"]
direction LR
S["SaaS / cloud pivot
SSO, connected apps, admin tools"] --> X["Data access
Discovery and bulk export"]
X --> M{"Monetisation"}
M --> O["Outcomes
Pure extortion · Ransomware / disruption
Fraud / onward access"]
end
ENTRY -->|"then"| ACCESS
classDef human fill:#ffffff,stroke:#999999,color:#111111;
classDef identity fill:#e5e5e5,stroke:#777777,color:#111111;
classDef access fill:#f5f5f5,stroke:#777777,color:#111111;
classDef outcome fill:#111111,stroke:#111111,color:#ffffff;
class R,C human;
class I,V identity;
class S,X,M access;
class O outcome;
style ENTRY fill:#fafafa,stroke:#d8d8d8,color:#666666;
style ACCESS fill:#fafafa,stroke:#d8d8d8,color:#666666;
MITRE ATT&CK mapping
Techniques that survive the rebrand
Representative rather than exhaustive; mappings vary by cluster and campaign.
Act 06 / Assessment
The malware was never the most important part.
My final assessment is less about who owns which name and more about what these actors understood early.
After spending so long untangling the names, I expected the final lesson to be about attribution. Instead, I kept returning to something simpler: how consistently these actors turned ordinary trust, support processes, and valid identities into access.
High-confidence assessment
Identity-first attacks win on economics.
A convincing call can be cheaper, faster, and more reusable than exploit development. Once the actor controls a valid session, legitimate administration becomes the intrusion path. That reduces reliance on novel malware and weakens controls designed around executable payloads.
High-confidence assessment
Social engineering is a technical capability.
Reconnaissance, pretext construction, timing, knowledge of support workflows, and the ability to imitate an employee’s language are repeatable tradecraft. Treating the call as “just user error” misses the operator skill and the process weakness being exploited.
High-confidence assessment
Younger communities organise around networks, not firms.
Fluid handles, public channels, rapid rebranding, borrowed tools, and peer status create a structure closer to an online scene or gig economy than a traditional hierarchy. Arrests matter, but there may be no single leadership layer to decapitate.
Moderate-confidence assessment
The Com may be a generational shift.
It combines English-language social fluency, gaming-era communities, cloud-native targets, data-theft extortion, and physical coercion in parts of the ecosystem. The model is durable even if today’s brand names are not.
Closing assessment
I started with a group name. I ended with a different unit of analysis: an ecosystem that can produce groups, trade names, temporary alliances, and copycats faster than our labels can settle.
Scattered Spider is one of its clearest expressions, not its synonym. LAPSUS$ and ShinyHunters are related parts of the story, not interchangeable chapters. The useful lesson is not to memorise the latest alias. It is to understand the social and technical conditions that make the next alias possible.
Looking back, I am glad I never found a simple answer to my original question. Had I stopped after understanding Scattered Spider, I would probably have missed the larger story surrounding it. This project reminded me that threat intelligence is not only about tracking individual groups. It is also about understanding the communities, relationships, and conditions from which those groups emerge. As my first independent CTI research project, I hope this becomes a useful starting point for someone else opening that first browser tab.
Methodology
How I handled confidence
Confirmed
Directly supported by official records, vendor attribution, or explicit alias mapping.
Likely
Supported by multiple credible observations, with a remaining analytic inference.
Suspected
Plausible overlap with incomplete public evidence or contested cluster boundaries.
Unknown
Not established from the public material reviewed, or dependent on unverified claims.
Sources were prioritised in this order: law-enforcement and court records; first-party threat-intelligence reporting; MITRE ATT&CK; reputable secondary reporting. Self-claims were treated as claims, not attribution. No finding below is presented as my original discovery; my role was to consolidate, compare, and assess the available record. This report is current through 12 July 2026 and will age.
References
Sources and acknowledgements
This report exists because other people did the difficult work first. The list below includes the public sources used in this article and acknowledges the researchers, responders, investigators, journalists, and public agencies whose reporting made this consolidation possible. Dates shown are publication or latest-update dates where available.
- 01Connecting Scattered Spider: Defining a Cybercrime Collective Through Shared TTPs
Group-IB · 7 July 2026
- 02Hacker Com: Cyber Criminal Subset of The Community Is a Rising Threat to Youth Online
Federal Bureau of Investigation · 23 July 2025
- 03Nine Individuals Connected to a Hacking Group Charged With Online Identity Theft
US Department of Justice · 9 May 2019
- 04Roasting 0ktapus: The Phishing Campaign Going After Okta Identity Credentials
Group-IB · 25 August 2022
- 05Octo Tempest Crosses Boundaries to Facilitate Extortion, Encryption, and Destruction
Microsoft Threat Intelligence · 25 October 2023
- 06Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
Google Threat Intelligence Group / Mandiant · 6 May 2025
- 07Scattered Spider (Group G1015)
MITRE ATT&CK · actor and technique mapping
- 08DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction
Microsoft Threat Intelligence · 22 March 2022
- 09LAPSUS$ (Group G1004)
MITRE ATT&CK · updated 21 April 2025
- 10The Cost of a Call: From Voice Phishing to Data Extortion
Google Threat Intelligence Group · 4 June 2025
- 11Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware
Palo Alto Networks Unit 42 · 2024
- 12Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Google Threat Intelligence Group · January 2026
- 13Threat Group Assessment: Muddled Libra
Palo Alto Networks Unit 42 · updated 16 May 2025
- 14Scattered Spider Cybersecurity Advisory AA23-320A
CISA, FBI, ACSC, CCCS, NCSC-UK · updated 29 July 2025
- 15Five Defendants Charged in Phishing Scheme Targeting Victim Companies
US Department of Justice · 20 November 2024
- 16Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Google Threat Intelligence Group · 26 August 2025
- 17Sadistic Online Harm Groups Putting People at Unprecedented Risk
UK National Crime Agency · 2025
- 18The Golden Scale: Bling Libra and the Evolving Extortion Economy
Palo Alto Networks Unit 42 · 10 October 2025
- 19Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS
Mandiant · 30 January 2026
- 20Hackers Made Death Threats Against This Security Researcher. Big Mistake.
MIT Technology Review · 16 February 2026
- 21Internet Infamy Drives The Com’s Crime Sprees
CyberScoop · 9 June 2025
- 22Cybersecurity Investigators Worry Ransomware Attacks May Worsen as Young Western Hackers Work With Russians
CBS News / 60 Minutes · 1 June 2025