Scattered Spider gang feigns retirement, breaks into bank instead
(2025/09/17)
- Reference: 1758134256
- News link: https://www.theregister.co.uk/2025/09/17/scattered_spider_bank_attack/
- Source link:
Spiders don't change their stripes. Despite gang members' recent retirement claims, Scattered Spider hasn't exited the cybercrime business and instead has shifted focus to the financial sector, with a recent digital intrusion at a US bank.
In an update to an earlier threat intelligence report about [1]ShinyHunters' string of [2]Salesforce-related heists , along with that crime crew's [3]collab with Scattered Spider , ReliaQuest researchers said that their recently uncovered evidence suggests that Scattered Spider didn't " [4]go dark " after all.
"In our original investigation posted on August 12, 2025, ReliaQuest predicted that the Scattered Spider hacking collective, linked to ShinyHunters, would soon shift their focus to the financial sector," the infosec analysts [5]wrote .
[6]
"ReliaQuest has now observed this targeting in action, marked by an increase in domains potentially linked to the group focusing on the finance sector, as well as a recently identified targeted intrusion against a US banking organization," the Monday update continued.
[7]
[8]
The criminals gained initial access [9]in their usual manner - social engineering an executive's account and resetting the password via Microsoft Entra ID (formerly Azure Active Directory) self-service password reset.
Then they used this access to snoop through sensitive IT and security documents and move laterally through the bank's Citrix environment and VPN. As they have done in other intrusions, Scattered Spider also [10]compromised VMware ESXi infrastructure to dump employee credentials and further infiltrate the financial org's network.
[11]Criminals broke into the system Google uses to share info with cops
[12]15 ransomware gangs 'go dark' to enjoy 'golden parachutes'
[13]Oh, great. Three notorious cybercrime gangs appear to be collaborating
[14]Scattered Spider, BlackCat claw their way back from criminal underground
"To escalate privileges, the attacker reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection," ReliaQuest added. "Evidence also points to attempted data exfiltration from Snowflake, AWS, and other repositories, underscoring their intent to extract sensitive information."
Plus, this bank break-in happened after Scattered Spider and other ransomware slingers said they were [15]getting out of the business . "Despite these claims, their TTPs and IOCs are still surfacing, showing that the threat remains active and evolving," the threat hunters noted.
[16]
Of course, they wouldn't be the first group to pull an exit scam - remember [17]ALPHV/BlackCat after the [18]Change Healthcare attack last year? And Scattered Spider seemingly [19]took a break from its criminal operations for a stint following its [20]high-profile casino heists in 2023, which put a [21]huge target on these criminals' collective backs and led to the [22]arrests of at least seven of its members.
Plus, as Rex Booth, chief information security officer at identity-focused security shop SailPoint, told The Register , "ultimately, whether one group of criminals retires or not doesn't really matter to the victims."
"Ransomware and digital crime are opportunity driven, and if one gang steps aside, a new one will eagerly take their place," Booth said. "We need to focus on prevention more than personalities." ®
Get our [23]Tech Resources
[1] https://www.theregister.com/2025/06/25/paris_police_claim_arrests_of/
[2] https://www.theregister.com/2025/08/18/workday_crm_breach/
[3] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[4] https://www.theregister.com/2025/09/14/in_brief_infosec/
[5] https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[10] https://www.theregister.com/2025/07/29/fbi_scattered_spider_alert/
[11] https://www.theregister.com/2025/09/16/google_confirms_crims_accessed_lers/
[12] https://www.theregister.com/2025/09/14/in_brief_infosec/
[13] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[14] https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
[15] https://www.theregister.com/2025/09/16/google_confirms_crims_accessed_lers/
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[17] https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
[18] https://www.theregister.com/2024/03/08/change_healthcare_restores_first_system/
[19] https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
[20] https://www.theregister.com/2023/12/28/casino_ransomware_attacks/
[21] https://www.theregister.com/2023/11/17/fbi_scattered_spider_action/
[22] https://www.theregister.com/2025/04/08/scattered_spider_updates/
[23] https://whitepapers.theregister.com/
In an update to an earlier threat intelligence report about [1]ShinyHunters' string of [2]Salesforce-related heists , along with that crime crew's [3]collab with Scattered Spider , ReliaQuest researchers said that their recently uncovered evidence suggests that Scattered Spider didn't " [4]go dark " after all.
"In our original investigation posted on August 12, 2025, ReliaQuest predicted that the Scattered Spider hacking collective, linked to ShinyHunters, would soon shift their focus to the financial sector," the infosec analysts [5]wrote .
[6]
"ReliaQuest has now observed this targeting in action, marked by an increase in domains potentially linked to the group focusing on the finance sector, as well as a recently identified targeted intrusion against a US banking organization," the Monday update continued.
[7]
[8]
The criminals gained initial access [9]in their usual manner - social engineering an executive's account and resetting the password via Microsoft Entra ID (formerly Azure Active Directory) self-service password reset.
Then they used this access to snoop through sensitive IT and security documents and move laterally through the bank's Citrix environment and VPN. As they have done in other intrusions, Scattered Spider also [10]compromised VMware ESXi infrastructure to dump employee credentials and further infiltrate the financial org's network.
[11]Criminals broke into the system Google uses to share info with cops
[12]15 ransomware gangs 'go dark' to enjoy 'golden parachutes'
[13]Oh, great. Three notorious cybercrime gangs appear to be collaborating
[14]Scattered Spider, BlackCat claw their way back from criminal underground
"To escalate privileges, the attacker reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection," ReliaQuest added. "Evidence also points to attempted data exfiltration from Snowflake, AWS, and other repositories, underscoring their intent to extract sensitive information."
Plus, this bank break-in happened after Scattered Spider and other ransomware slingers said they were [15]getting out of the business . "Despite these claims, their TTPs and IOCs are still surfacing, showing that the threat remains active and evolving," the threat hunters noted.
[16]
Of course, they wouldn't be the first group to pull an exit scam - remember [17]ALPHV/BlackCat after the [18]Change Healthcare attack last year? And Scattered Spider seemingly [19]took a break from its criminal operations for a stint following its [20]high-profile casino heists in 2023, which put a [21]huge target on these criminals' collective backs and led to the [22]arrests of at least seven of its members.
Plus, as Rex Booth, chief information security officer at identity-focused security shop SailPoint, told The Register , "ultimately, whether one group of criminals retires or not doesn't really matter to the victims."
"Ransomware and digital crime are opportunity driven, and if one gang steps aside, a new one will eagerly take their place," Booth said. "We need to focus on prevention more than personalities." ®
Get our [23]Tech Resources
[1] https://www.theregister.com/2025/06/25/paris_police_claim_arrests_of/
[2] https://www.theregister.com/2025/08/18/workday_crm_breach/
[3] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[4] https://www.theregister.com/2025/09/14/in_brief_infosec/
[5] https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[10] https://www.theregister.com/2025/07/29/fbi_scattered_spider_alert/
[11] https://www.theregister.com/2025/09/16/google_confirms_crims_accessed_lers/
[12] https://www.theregister.com/2025/09/14/in_brief_infosec/
[13] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[14] https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
[15] https://www.theregister.com/2025/09/16/google_confirms_crims_accessed_lers/
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMsvdwRDxdtwTDuY8y1uPwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[17] https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
[18] https://www.theregister.com/2024/03/08/change_healthcare_restores_first_system/
[19] https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
[20] https://www.theregister.com/2023/12/28/casino_ransomware_attacks/
[21] https://www.theregister.com/2023/11/17/fbi_scattered_spider_action/
[22] https://www.theregister.com/2025/04/08/scattered_spider_updates/
[23] https://whitepapers.theregister.com/
Maybe
They just wanted to secretly and quietly set up an account for their loot? Did the hacked bank have a good long term savings accounts with decent interest?