The hacker collective known as Scattered Spider is once again dominating headlines with a wave of high-profile cyberattacks that span multiple industries. According to threat intelligence sources, the group has pursued a sector-by-sector strategy, recently hitting retail organizations like Marks & Spencer, moving on to insurance firms, and now targeting the aviation and transportation sectors. This surge in high-profile attacks has brought renewed attention on who Scattered Spider is and how they operate. The group’s operations rely heavily on detailed PII, including employee names, job titles, dates of birth, SSN fragments, and phone numbers, leveraged for social engineering, SIM swapping, and doxxing threats. In this article, we explore evidence that data brokers are a primary source of the personal information Scattered Spider exploits in their campaigns. Who Is Scattered Spider? Scattered Spider is not a single tight-knit gang but rather a loose umbrella for threat actors who favor certain techniques, especially social engineering, MFA fatigue “bombing,” and SIM swapping to gain entry into large organizations. The group is also tracked under other names like 0ktapus, UNC3944, Octo Tempest, Scatter Swine, Starfraud, and Muddled Libra. These attackers are reputedly young, English-speaking individuals (often teenagers or in their early 20s) who congregate on the same hacker forums, Telegram channels, and Discord servers to plan and execute attacks in real time. Uniting them is a common playbook of tricking human targets: impersonating employees or IT staff, tricking help desks, stealing one-time passwords, and SIM-swapping phone numbers to bypass SMS-based 2FA. Scattered Spider actors have partnered with major ransomware groups (e.g. Dragon Force, BlackCat/ALPHV, Ransom.House/RansomHub, Qilin) to monetize breaches. They’ve been linked to a string of prominent incidents, including attacks on MGM Resorts, Marks & Spencer, Co-op, Twilio, Coinbase, DoorDash, Caesars Entertainment, MailChimp, Riot Games, and Reddit, among others. U.S. officials estimate the broader Scattered Spider community may number up to around 1,000 members, loosely organized under an underground scene called “The Community” (or “the Com”). This amorphous structure makes it hard to pin down all members, but it’s clear they share tools, data, and services for fraud and hacking. Their modus operandi is to gather as much information about a target organization (and its people) as possible, then exploit this data to defeat security. Key to this preparation is the harvesting of personal data – and this is where data brokers come into play. Data Brokers Fueling Scattered Spider’s Reconnaissance Multiple investigations from 2022 through 2025 suggest that Scattered Spider heavily leverages commercial data broker services as part of their reconnaissance efforts to select targets and craft believable lures. Early evidence came during the notorious “0ktapus” phishing campaign of 2022. In that attack, Scattered Spider (tracked by Okta as Scatter Swine) blasted SMS phishing texts to thousands of employees at over a hundred companies, including Twilio and Cloudflare. Okta’s security team analyzed the incident and assessed that the attackers “likely harvest[ed] mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations.” This explains how the smishing messages were so precisely targeted – even family members of employees received the fake texts. Armed with those curated lists of numbers (tied to company names), the attackers also called some victims on the phone, impersonating IT support to further pry into the companies’ authentication systems. Threat researchers have described Scattered Spider’s reconnaissance as highly detailed and methodical. Investigators infer from the group’s detailed impersonation attempts that they are leveraging data brokers, including full personal profiles and professional data commonly found on platforms like ZoomInfo. According to threat intelligence analyst Zach Edwards of Silent Push, Scattered Spider members will buy complete personal dossiers from data brokers to aid in impersonation. In a Financial Times interview, Edwards explained: “They’re picking a target — maybe a senior developer — to be the person [they’re] impersonating, so they may know their maiden name, their home address, they may have already bought a data broker profile on somebody.” In practice, this means if Scattered Spider decides to impersonate John Doe (a software engineer at Company X) in a help-desk call, they might spend a few dollars on an aggregated background report for John Doe. That report could yield his phone numbers, past addresses, relatives, and other biographical details — all invaluable for convincingly masquerading as John in an IT support scenario. Threat researchers at ReliaQuest assess that Scattered Spider is leveraging both social media platforms and data broker services to build detailed employee profiles for targeting. “Using platforms like LinkedIn and ZoomInfo, the group digs into the lives of key employees within a target organization, piecing together everything from job titles to contact details,” ReliaQuest noted in a June 2025 profile. ZoomInfo (a business contact aggregator) in particular offers direct phone numbers, corporate emails, org charts, and employment histories – a goldmine for attackers seeking to learn who’s who in a company. By scraping LinkedIn profiles and combining that with data broker info, Scattered Spider can map out an org chart of high-privilege employees and understand exactly how to reach them. The end result is that when Scattered Spider is ready to approach a target (whether by email, text, or phone call), they have already compiled details about selected employees – from work roles and colleagues’ names to home addresses, birthdates, and hobbies. It’s the payoff of their reconnaissance efforts. How Scattered Spider Uses Personal Data to Breach, Impersonate, and Threaten Smishing, impersonation, SIM swaps, and doxxing threats all depend on having personal data, and Scattered Spider puts this data to work throughout their attacks. Smishing and Vishing Mandiant’s threat intelligence team reports that a hallmark of UNC3944 (their name for Scattered Spider) is SMS phishing (smishing) sent to employees to steal valid login credentials. The mass smishing attacks using phone numbers likely sourced from data brokers during the 0ktapus campaign is an example of this. Once they succeed, the attackers often impersonate those employees in phone calls to IT service desks, requesting password resets or MFA re-enrollment. During these calls, Scatter
