Cybersecurity researchers have tied a new string of cyberattacks against financial institutions to the notorious group Scattered Spider, undermining the gang’s recent claims of shutting down operations.
Threat intelligence firm ReliaQuest reported evidence that the group has shifted its attention to the financial services sector. Investigators observed a rise in lookalike domains aimed at finance-related targets, along with a confirmed intrusion at an unnamed U.S. bank. According to ReliaQuest, “Scattered Spider gained initial access by socially engineering an executive’s account and resetting their password via Azure Active Directory Self-Service Password Management.”
Once inside, attackers escalated their privileges by resetting a Veeam service account, assigning themselves Azure Global Administrator rights, and moving virtual machines to avoid detection. They then penetrated deeper into the bank’s infrastructure, exploiting Citrix environments, VPNs, and VMware ESXi systems to harvest credentials. Indicators also suggest attempts to exfiltrate sensitive data from repositories like AWS, Snowflake, and other enterprise platforms.
These findings cast doubt on Scattered Spider’s public declaration of retirement, which the group announced alongside several other cybercrime outfits, including LAPSUS$. Analysts note that the group shares strong overlaps with clusters such as ShinyHunters, forming a broader cybercriminal entity sometimes referred to as “scattered LAPSUS$ hunters.” ShinyHunters itself has engaged in extortion schemes, notably stealing data from Salesforce accounts months after initial breaches by other groups tracked as UNC6040.
Experts warn organizations not to assume cybercriminals truly disband. “The recent claim that Scattered Spider is retiring should be taken with a significant degree of skepticism,” said Karl Sigler, security research manager at Trustwave SpiderLabs. He noted that such announcements often serve as a strategic retreat—a tactic to regroup, refine tactics, and evade mounting law enforcement pressure.
Sigler added that internal disruption may also have played a role, citing possibilities such as compromised infrastructure, leaked communication channels, or the arrest of low-level members. Historically, groups under scrutiny have opted to “retire in name only,” pausing operations before resurfacing under new aliases.
ReliaQuest emphasized that the financial services sector should remain vigilant. The case underscores a recurring theme in cybercrime: even when hackers claim to disappear, their tradecraft often survives, merely rebranded for the next wave of attacks.
