The Fall of Scattered Spider: Teen Charged in $100M Las Vegas Casino Heist Amid Global Cybercrime Crackdown

Breached Company

Breached Company

8 min read
The Fall of Scattered Spider: Teen Charged in $100M Las Vegas Casino Heist Amid Global Cybercrime Crackdown
Photo by Kenny Eliason / Unsplash

Breaking: Another Teen Arrest Rocks the Cybercrime World

A teenage boy has surrendered to authorities in Las Vegas, becoming the latest young suspect charged in connection with the devastating 2023 cyber attacks that crippled MGM Resorts and Caesars Entertainment, costing the casino giants over $100 million combined. The unnamed juvenile, who turned himself in at the Clark County Juvenile Detention Centre on September 17, 2025, faces six serious charges including extortion, conspiracy, and unlawful computer acts.

This arrest marks a significant milestone in law enforcement's ongoing battle against Scattered Spider, the notorious hacking collective that has terrorized major corporations across the globe with sophisticated social engineering attacks that have netted hundreds of millions in damages and ransom payments.

The Vegas Heist: How Ten Minutes Changed Everything

The September 2023 attacks on MGM and Caesars represented a watershed moment in cybercrime history. What made these breaches particularly shocking wasn't just their scale, but their simplicity: the entire MGM infiltration began with a single 10-minute phone call.

Scattered Spider operatives had done their homework. They scoured LinkedIn to identify MGM employees, then called the company's IT help desk posing as one of these workers. In those crucial ten minutes, they convinced support staff to reset multi-factor authentication factors for super administrator accounts in MGM's Okta system. From there, they gained access to Microsoft Azure tenants and ultimately deployed ransomware across more than 100 ESXi hypervisors.

The results were catastrophic:

  • MGM Resorts lost an estimated $100 million, with operations grinding to a halt for nearly two weeks
  • Slot machines went dark across Las Vegas floors
  • Digital room keys stopped working, leaving guests locked out
  • Reservation systems crashed, forcing staff to use pen and paper
  • The company lost approximately $8.4 million per day during the crisis
  • MGM's stock price plummeted, and Moody's threatened to downgrade their credit rating

Caesars Entertainment didn't fare much better. The attackers accessed their loyalty program database containing millions of customers' personal information, including Social Security numbers and driver's license details. Unlike MGM, which refused to negotiate, Caesars reportedly paid $15 million of the hackers' initial $30 million ransom demand.

The Scattered Spider Web: A Global Teen Terror Network

Scattered Spider, also known as UNC3944, Octo Tempest, and 0ktapus, represents a new breed of cybercriminal organization. Unlike traditional ransomware groups dominated by Eastern European actors, Scattered Spider consists primarily of English-speaking teenagers and young adults from the United States and United Kingdom, most between 17-25 years old.

This linguistic advantage has proven devastatingly effective. Their native English fluency allows them to conduct sophisticated vishing (voice phishing) attacks that fool even trained IT professionals. They don't just send phishing emails; they pick up the phone and talk their way past security.

The group operates as part of "The Com," a larger underground community where young hackers boast about their exploits and share techniques. Members maintain leaderboards ranking the most successful criminals, with arrested members like "Sosa" (Noah Urban) and "tylerb" (Tyler Buchanan) previously holding positions #24 and #65 respectively out of 100.

The International Manhunt: A Year of Arrests

Law enforcement's response to Scattered Spider has been unprecedented in its scope and coordination:

The Key Arrests:

Tyler Robert Buchanan, 23 (Scotland) - Alleged ringleader

  • Arrested June 2024 in Palma de Mallorca, Spain
  • Found with $27 million in Bitcoin
  • Extradited to US in April 2025
  • Fled UK after rivals invaded his home and assaulted his mother

Noah Michael Urban, 20 (Florida) - aka "Sosa"

  • Arrested January 2024
  • Stole $800,000 in cryptocurrency (initially reported)
  • Sentenced to 10 years in prison for $13 million theft scheme
  • Pleaded guilty in 2025, becoming first Scattered Spider member sentenced
  • Used SIM-swapping extensively

Five Others Charged (November 2024):

  • Ahmed Hossam Eldin Elbadawy, 23 (Texas)
  • Joel Martin Evans, 25 (North Carolina)
  • Evans Osiebo, 20 (Texas)
  • Plus Buchanan and Urban

UK Teen (17 at time) - Name withheld

  • Arrested July 2024 in connection with MGM attack
  • Released on bail

Latest Las Vegas Teen - Name withheld

  • Surrendered September 17, 2025
  • Six charges including extortion
  • DA seeking to try as adult

Beyond Vegas: The 2024-2025 Retail Apocalypse

While the Vegas attacks grabbed headlines, Scattered Spider's activities expanded dramatically through 2024 and 2025, targeting critical infrastructure worldwide:

Transport for London (August 2024)

As we previously reported in extensive detail, the TfL attack represents one of Scattered Spider's most audacious operations against critical infrastructure. Two teenagers, Owen Flowers (18) and Thalha Jubair (19), were arrested and charged in September 2025 for this devastating breach that:

  • Paralyzed London's digital transport infrastructure for three months
  • Cost £39 million in damage and recovery costs (updated from initial £30M estimates)
  • Compromised 5,000 customers' banking details including account numbers and sort codes
  • Forced 25,000 staff to report to offices for manual identity verification
  • Knocked offline Oyster card systems until December 4, 2024

The courtroom drama was striking: Flowers appeared wearing a grey hoodie emblazoned with "off the grid," while Jubair, known online as "EarthtoStar," "Brad," and "@autistic," sat beside him in black hoodie and glasses. Neither acknowledged the other during proceedings.

Jubair now faces up to 95 years in US prison after being linked to a broader extortion scheme targeting 120 US networks that netted $115 million in ransom payments. Authorities seized $36 million in cryptocurrency from servers he controlled, though he allegedly transferred another $8.4 million to other wallets during the seizure.

The UK Retail Massacre (April-May 2025)

In what cybersecurity experts call the most devastating retail attack in UK history, Scattered Spider affiliates using DragonForce ransomware struck:

Marks & Spencer:

  • Lost over £300 million in projected damages
  • Stock price fell 12%
  • Online operations shut down for weeks
  • Customer data stolen
  • Over 200 job listings pulled

Co-op:

  • 6.5 million members' data compromised
  • CEO Shirine Khoury-Haq personally apologized
  • Staff warned internal communications might be monitored
  • Rural communities particularly affected by outages

Harrods:

  • Systems shut down preemptively
  • Internet access restricted company-wide
  • Full extent of breach still unknown

The Cyber Monitoring Centre classified these as a "single combined cyber event" with total losses between £270-440 million ($363-592 million).

Other Major Targets (2024-2025):

  • Insurance Sector: As we reported, the group pivoted to targeting insurance companies including Aflac, Philadelphia Insurance Companies, and Erie Insurance
  • Qantas Airways: 6 million customers affected, executives took pay cuts
  • Jaguar Land Rover: Production halted for three weeks in September 2025
  • Louis Vuitton/LVMH: Multiple breaches across luxury brands
  • US Healthcare: SSM Health, Sutter Health targeted by Flowers in additional charges

The Evolution of Evil: Scattered Spider's Playbook

What makes Scattered Spider particularly dangerous is their constantly evolving tactics:

Primary Attack Vectors:

  1. Vishing: Calling help desks posing as employees
  2. SIM Swapping: Taking control of phone numbers
  3. MFA Fatigue: Bombarding targets with authentication requests
  4. Credential Harvesting: Mass SMS phishing campaigns
  5. Social Engineering: Exploiting human psychology

Technical Sophistication:

  • Exploiting CVE-2015-2291 to disable security software
  • Partnering with ALPHV/BlackCat ransomware-as-a-service
  • Using legitimate tools like CyberArk against victims
  • Deploying multiple ransomware variants (Cuba, DragonForce, RansomHub)
  • Creating dynamic DNS infrastructure to evade detection
  • Evolution from social engineering (2022-2023) to domain-based phishing (2024) and back to social engineering (2025)

As our previous reporting noted: "While Scattered Spider's early hits in 2022 and 2023 were the result of social-engineering attacks, the group transitioned to domain-based phishing through much of 2024 before activity went dormant last summer. However, they've recently returned to their roots, once again relying exclusively on social engineering as their primary attack vector."

The Human Factor:

Unlike purely technical attacks, Scattered Spider's strength lies in manipulation. They research targets extensively, create believable personas, and exploit the helpfulness of IT support staff. One expert noted: "Their social engineering techniques are very sophisticated... They are known for voice phishing help desks, call centers, and even security operations centers."

Law Enforcement Strikes Back: The Global Response

The international response to Scattered Spider has been unprecedented:

Multi-Agency Cooperation:

  • FBI Cyber Division leading US efforts
  • UK National Crime Agency (NCA) coordinating British response
  • Spanish National Police executing arrests
  • CISA, NCSC issuing joint warnings
  • Interpol facilitating international coordination

Key Developments:

  • FBI identified over 100 victims by late 2024
  • $115 million in confirmed ransom payments tracked
  • Multiple cryptocurrency wallets seized
  • Telegram channels infiltrated and monitored
  • Technical indicators shared globally

Deputy Director Paul Foster of the NCA stated: "The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice."

The Victims Speak: Corporate Catastrophe and Recovery

MGM CEO William Hornbuckle:

"We were completely in the dark about our properties. The attackers had us by the throat."

Class Action Lawsuits:

Multiple lawsuits filed against both MGM and Caesars for:

  • Breach of contract
  • Failure to secure customer data
  • Negligent security practices
  • MGM settled for $45 million in January 2025

Industry Impact:

  • New SEC regulations requiring 4-day breach reporting
  • Insurance companies reassessing cyber coverage
  • Major investment in security awareness training
  • Help desk procedures overhauled industry-wide

The Future: An Ongoing Battle

Despite arrests, Scattered Spider continues operating, though some members have claimed retirement. In September 2025, a cryptic farewell message appeared on BreachForums from a faction called "Scattered Lapsus$ Hunters" announcing their retirement from cybercrime. However, security experts remain skeptical, noting the decentralized nature of the group means new actors regularly emerge.

Security firm Silent Push reports the group has adapted by:

  • Using dynamic DNS to hide infrastructure
  • Shifting to new sectors when heat increases
  • Recruiting new young members
  • Developing legal assistance teams for negotiations
  • Creating "white-label" ransomware services

Expert Warnings:

Charles Carmakal, Mandiant Intelligence:
"One of the most prevalent and aggressive threat actors impacting organizations in the United States today."

Security Researcher Will Malik:
"Cybercriminal organizations, much like the mythical Hydra, tend to sprout new heads when one is cut off."

Lessons Learned: Protecting Against Social Engineering

The Scattered Spider saga offers crucial lessons:

For Organizations:

  1. Never reset passwords over the phone without robust verification
  2. Implement callback procedures for all IT requests
  3. Use hardware tokens instead of SMS-based MFA
  4. Segment networks to limit lateral movement
  5. Train staff extensively on social engineering tactics
  6. Create and test incident response plans
  7. Monitor for insider threats - legitimate credentials are being weaponized

For Individuals:

  • Be skeptical of urgent IT requests
  • Verify caller identity independently
  • Report suspicious activity immediately
  • Never share authentication codes
  • Question password reset requests

The Human Cost: When Teenagers Become Cyber Terrorists

The youth of Scattered Spider members raises troubling questions. Many suspects were minors when they began their criminal careers. Tyler Buchanan fled his home country after criminals invaded his house and tortured his family. These teenagers, some as young as 17, face decades in prison.

The story of Scattered Spider isn't just about technology or money—it's about a generation that grew up online, turning their digital native skills toward destruction. It's about the ease with which a 10-minute phone call can topple a billion-dollar corporation. And it's about the ongoing challenge of securing human nature itself against manipulation.

Conclusion: The War Continues

As another teenager faces justice for the Vegas casino attacks, the battle against Scattered Spider continues. With each arrest, new members emerge. With each security improvement, new tactics develop. The group's evolution from SIM-swapping teenagers to international cyber terrorists conducting hundred-million-dollar heists represents a new chapter in cybercrime.

The unnamed teen who surrendered in Las Vegas this week joins a growing list of young lives destroyed by cybercrime. Whether tried as an adult or juvenile, they face years behind bars for crimes committed before they could legally drink. Meanwhile, their victims—from casino giants to London commuters to everyday shoppers—continue counting the costs.

FBI Assistant Director Brett Leatherman's warning resonates: "No cyber criminal is beyond our reach. If you attack American companies or citizens, we will find you, we will expose you, and we will seek justice."

Yet as fast as law enforcement moves, Scattered Spider adapts faster. The group that started with teenage pranks has evolved into one of the world's most dangerous cyber threats. And somewhere, right now, a teenager with a laptop and a phone is planning the next attack.

The house always wins—except when the house itself is the target.

This investigation draws from court documents, law enforcement statements, company disclosures, and extensive reporting from September 2023 through September 2025, including our previous in-depth coverage of the TfL attack, Noah Urban's sentencing, the insurance sector pivot, and the alleged retirement announcement. Scattered Spider remains active, and this story continues to develop.

For more ongoing coverage of Scattered Spider and cybercrime developments, visit breached.company.

Read more