Scattered Spider Strikes Again: Cybercrime Group Resurfaces with Bold Attacks on US Banks

Introduction

Despite claims of shutting down operations, the infamous hacking group Scattered Spider has re-emerged with a fresh wave of cyberattacks targeting financial institutions. Security researchers warn that this resurgence proves the group’s so-called “retirement” was nothing more than a smokescreen. With evidence pointing to highly sophisticated infiltration techniques, the latest incidents highlight the urgent need for vigilance in the financial sector.

the Original Report

Cybersecurity experts have linked a series of new cyberattacks against financial services to the Scattered Spider gang, contradicting their earlier announcement of going “dark.” According to threat intelligence firm ReliaQuest, indicators show that the group has shifted its attention to the financial sector. Investigations revealed suspicious lookalike domains, along with a confirmed attack on an unnamed U.S. bank.

The attack began when hackers socially engineered their way into an executive’s account, exploiting Azure Active Directory’s Self-Service Password Management. Once inside, they navigated through the Citrix environment, compromised VPN access, and infiltrated VMware ESXi infrastructure to steal credentials. The attackers escalated privileges by resetting a Veeam service account password, assigning themselves Azure Global Administrator rights, and even relocating virtual machines to avoid detection.

Evidence also points to attempted data exfiltration from repositories like Snowflake, AWS, and other cloud services. These attacks cast doubt on the gang’s earlier claim of retiring alongside other criminal groups such as LAPSUS\$. In fact, Scattered Spider has deep ties with ShinyHunters and LAPSUS\$, with overlapping members forming alliances like “scattered LAPSUS\$ hunters.”

ShinyHunters, for instance, has engaged in extortion campaigns using stolen Salesforce data, often months after the initial breach by affiliated hackers such as UNC6040. Experts warn that such overlapping partnerships complicate attribution and prove that cybercriminal organizations rarely vanish — instead, they rebrand or reorganize.

ReliaQuest cautions that the group’s supposed exit should not lull organizations into complacency. Security researchers argue that their “retirement” is more likely a strategic retreat to dodge law enforcement, refine their tactics, and return stronger. Karl Sigler of SpiderLabs noted that this may be the result of compromised infrastructure, exposed communication channels, or even arrests of lower-level members. Historically, such disruptions only lead to temporary disappearances, with hackers resurfacing under new aliases.

Ultimately, this case underscores the harsh reality: in cybercrime, retirement rarely means the end. It is instead a calculated pause, designed to regroup and strike again.

What Undercode Say:

The resurgence of Scattered Spider offers key lessons for organizations and cybersecurity defenders worldwide.

First, the group’s ability to exploit weak points in identity management systems highlights a persistent vulnerability. By targeting executives and leveraging password reset tools, the attackers bypassed traditional defenses with alarming ease. This proves that cybercriminals prioritize human manipulation over brute-force attacks, reinforcing the need for advanced identity verification methods and continuous monitoring.

Second, their lateral movement inside corporate networks shows meticulous planning. By compromising Citrix, VPNs, and VMware ESXi, they gained control over critical infrastructure. This kind of layered attack demonstrates that hackers are not merely opportunistic — they are strategic, patient, and capable of long-term infiltration.

Third, their attempt to steal data from Snowflake and AWS signals a larger trend: cloud repositories are the new goldmines for cybercriminals. As financial institutions increasingly rely on cloud storage, attackers are adapting their methods to exploit misconfigurations, weak authentication, and privileged access gaps.

From a broader perspective, Scattered Spider’s ties to groups like ShinyHunters and LAPSUS\$ show the fluid, networked nature of modern cybercrime. These collectives share tools, techniques, and stolen data, blurring the lines between separate hacking crews. The overlap makes attribution nearly impossible and allows them to sustain operations even when certain members are arrested.

The so-called “retirement” is simply psychological warfare. By announcing a shutdown, they lull both victims and law enforcement into complacency, while secretly reorganizing. This tactic buys them time to rebuild infrastructure, recruit new talent, and refine tradecraft. For defenders, this underlines the importance of skepticism whenever cybercriminals claim to go dark.

Financial institutions, in particular, must adopt proactive defenses. This includes zero-trust architectures, stronger authentication, constant monitoring of third-party domains, and incident response readiness. Employee training also becomes crucial, since social engineering remains the weapon of choice.

The lesson is clear: cybercrime is an evolving ecosystem where names may disappear, but the threats never do. Just as ransomware groups rebrand to escape scrutiny, Scattered Spider and its allies will continue exploiting financial systems unless defenses evolve faster than their tactics.

Fact Checker Results ✅❌

✅ Confirmed: Scattered Spider is still active, targeting financial services.
❌ Misinformation: Their retirement was genuine — evidence proves otherwise.
✅ Verified: Attack vectors included Azure, VMware ESXi, and cloud repositories.

🔮 Prediction

Scattered Spider will likely re-emerge under a new alias, targeting cloud-based infrastructures even more aggressively. Financial services and technology providers will remain their prime targets, and future attacks may blend ransomware with extortion to maximize profits. Unless organizations strengthen defenses around identity management and cloud storage, we will continue to see high-profile breaches tied to this elusive cybercrime collective.