Scattered Spider evolved massively in 2025 – here’s what to expect in 2026

During 2025, the Scattered Spider hacking collective has been linked with numerous devastating attacks, including Marks and Spencer, Jaguar Land Rover and the Co-op.

Over the course of the year, Scattered Spider has also been impacted by multiple law enforcement takedowns but the organization keeps evolving and splintering off, despite this increased scrutiny. Later in 2025, it emerged that Scattered Spider collaborated with parallel threat groups ShinyHunters and LAPSUS$ to form a unified collective.

As Scattered Spider’s activities continue to ramp up, the collective’s changing tactics need to be on every businesses’ radar. Based on the group’s evolution in 2025, what can organizations expect in 2026?

Scattered Spider attacks throughout 2025

Throughout the year, Scattered Spider’s strategy has remained consistent: tricking help desks and employees into offering access, then jumping straight into cloud apps to steal sensitive data.

“Once they have the data, they use extortion to pressure companies into paying up,” Trend Micro’s Forward Threat Research team tells ITPro. “It is simple, it works, and they doubled down on it all year.”

Scattered Spider has evolved its focus over the course of the year. It kicked off 2025 by targeting software as a service (SaaS) platforms, with campaigns targeting Klaviyo and HubSpot using phishing infrastructure hosted on lookalike domains to harvest credentials from corporate users.

In April, it hit UK retailers, including Marks and Spencer, Harrods and the Co-op Group.

From May to June, Cartier and North Face, as well as Erie Insurance and Philadelphia Insurance also reported breaches consistent with Scattered Spider’s tactics.

After wreaking havoc on the retail and insurance sectors, the group quickly shifted to aviation. In June, Hawaii’s Hawaiian Airlines and Canada’s WestJet were attacked, while Australian airline Qantas reported a breach of a third-party contact center system. In July, the FBI publicly warned that Scattered Spider was targeting airlines with social engineering attacks.

The group tends to focus on one industry at a time, says Aniket Pachchhapur, cybersecurity consultant at GRC Solutions. “Scattered Spider consistently leverages help desk social engineering to penetrate whatever industry it targets. Over time, the group has gravitated toward high-value sectors with widely used outsourced IT services, but it adapts quickly to new targets as defenses stiffen.”

In all cases the group is known to use a "dual extortion" technique, first demanding a ransom. If that is not paid, they leak the data, says Jake Addison, SOC manager at Reliance Cyber.

Scattered Spider's rebrand

Rebranding is another favored tactic. If 2024 put Scattered Spider on the map, 2025 was the year it learned to reinvent itself, says Ed Williams, vice president of EMEA Consulting at Trustwave, a LevelBlue company.

Rather than disappearing, the group has evolved into a broader extortion ecosystem, now operating under the “Scattered LAPSUS$ Hunters” label. This umbrella identity combines elements of Scattered Spider, ShinyHunters and LAPSUS$, allowing multiple operators to “present a unified front when advantageous”, he says.

Scattered Spider and the wider cyber-criminal community, the Com, show how modern cyber crime has become “fluid, youth-driven and brand-agnostic”, says Rik Ferguson, VP of security intelligence at Forescout. “What we’re seeing now is not a single ‘gang’, but a loose collective that rebrands, regroups and recruits at speed, which is exactly what we observed in LAPSUS$ when we started tracking them back in 2022.”

The recent alignment with ShinyHunters and LAPSUS$ is “less a merger and more a reflection of how these crews swap members, tooling and tactics, while keeping the pressure on high-value targets”, according to Ferguson.

Law enforcement takedowns

With Scattered Spider’s attack radius surging, it’s no surprise law enforcement has stepped up in response. Arrests in the US and UK have been tied to some of the highest-profile attacks, and agencies have begun calling out the Com as a major emerging crime network.

Even so, these groups are “loose and flexible”, according to Trend Micro’s Forward Threat Research team: “Even when a few members get taken down, the overall operation keeps moving, almost like swapping players on a team, rather than shutting it down.”

In September 2025, Scattered Lapsus$ Hunters announced a temporary withdrawal from illicit activities on BreachForums, citing mounting law enforcement pressure and recent arrests as reasons for stepping back. However, in November 2025 the cybersecurity firm ReliaQuest observed Scattered Lapsus$ Hunters apparently targeting Zendesk users via a phishing campaign.

That same month, the group claimed responsibility for breaching over 200 companies via Gainsight integrations within Salesforce, per TechCrunch reporting.

Law enforcement takedowns have impacted the collective, but only at a surface level, says Williams. “Their public Telegram channels were removed at least a dozen times this year, yet they consistently rebuilt, often within hours. Instead of deterring activity, disruptions have actually amplified the collective’s reliance on spectacle.”

Scattered Spider continues to evolve

Through 2026, it is likely Scattered Spider will continue its methodology of either targeting companies within a particular sector, or focussing on a larger SaaS application such as Salesforce, says Addison.

From a tactics standpoint, the group has doubled down on social engineering, now at a greater scale, says Williams. Automated spear-phishing tools, some abusing services such as Google Voice, have enabled the threat group to “run high-volume identity harvesting campaigns with minimal manual effort”, he says.

Scattered Spider is also heightening its focus on insider access as a means to compromise networks, according to Addison. He cites the example of an attack on security company Crowdstrike, which dismissed an employee after screenshots of their work device were found posted on Telegram by the collective.

The group has talked about launching its own ransomware as a service this year, as well as floating the idea of an extortion as a service operation for any threat actors wishing to leverage the Scattered LAPSUS$ Hunters brand in their own attacks. “So we may see these being launched in 2026,” says Aiden Sinnot, principal threat researcher at Sophos.

As companies upgrade their security throughout 2026, identity and SaaS security should be a priority, according to Trend Micro’s Forward Threat Research team. “These attackers continue to prove they do not need advanced malware to break into critical environments.”

Taking this into account, stronger verification for help desk requests, phishing resistant MFA for admins and tight controls on third-party SaaS integrations will also go a long way. “And honestly, training people on how to handle suspicious phone calls or push spam is just as important,” Trend Micro’s researchers advise.

As part of IT help desk impersonation, Scattered Spider is known to install remote tools for access. Addison recommends that IT teams use as small a subset of trusted tools as possible, and ensure defenders are monitoring, alerting and blocking any others.

Scattered Spider is known to monitor communication platforms such as Teams and Slack, impersonating compromised user accounts to facilitate further information gathering. With this in mind, ensure that no sensitive data such as passwords is ever shared via these platforms, Addison advises. “And where possible video call people to verify that they are who they say.”