In September 2023, a group of young hackers armed with nothing more than a phone and a convincing story brought one of the world's largest casino companies to its knees. This is what happened inside the MGM Resorts cyberattack.
The slot machines went dark first.
It was a Sunday evening in September 2023 when MGM Resorts International — operator of the Bellagio, the Aria, and a dozen other Las Vegas landmarks — started losing control of its own systems. ATMs stopped dispensing cash. Digital room keys stopped working. Casino floors that normally hum with the constant chatter of machines fell into an uncanny silence. Guests stood at check-in counters while staff tried, and failed, to pull up reservations on screens that had gone blank.
The outage lasted ten days. The damage, MGM would later disclose in a regulatory filing, exceeded $100 million. Hotel bookings collapsed. The company's stock fell. And the breach exposed the personal data — names, contact details, driver's license numbers, Social Security numbers — of an unknown number of customers who had stayed at MGM properties before March 2019.
The culprit wasn't a sophisticated nation-state actor. It wasn't a team of grey-bearded hackers running custom exploits against hardened infrastructure. It was a loosely organised group of young people, many of them teenagers or in their early twenties, who go by the name Scattered Spider — and they did most of their work over the phone.
The attack began with a single phone call to MGM's IT help desk.
The caller, impersonating an MGM employee, asked for a password reset. The help desk representative — following what seemed like standard procedure — verified the caller's identity using publicly available information, likely scraped from LinkedIn. Name, job title, employee number: all findable with an hour of open-source research.
This technique is called social engineering: manipulating people rather than systems to gain unauthorised access. It is not new. It is not sophisticated. And it remains one of the most effective tools in any attacker's toolkit, because no amount of enterprise firewall spending protects against a well-rehearsed phone call.
Within hours, Scattered Spider had compromised MGM's Okta environment — the identity management platform used by thousands of corporations to control who can log into what. Okta itself later confirmed that its support system had been separately compromised during the same period, a detail that added further scrutiny to how broadly the group had operated. Compromising an identity provider is like stealing the master key to every door in the building simultaneously. From there, the group moved laterally through MGM's network — using their initial foothold to access additional systems and escalate privileges — before deploying ALPHV/BlackCat ransomware across critical infrastructure.
The ransomware encrypted files, disrupted operations, and left MGM with a choice: pay, or rebuild. MGM chose to rebuild.
What made this attack unusual wasn't just its ambition but its speed. From the initial social engineering call to full ransomware deployment, the entire intrusion is believed to have taken less than 24 hours. Security researchers who analysed the breach noted that Scattered Spider demonstrated detailed knowledge of enterprise cloud environments — particularly Microsoft Azure, Okta, and identity federation systems — that is typically associated with far more experienced threat actors.
The group's tradecraft also included techniques that security teams rarely prepare for. Rather than trying to crack encrypted passwords, they used a technique called MFA fatigue: bombarding employees with authentication push notifications until, out of frustration or confusion, someone approved one. Once inside a legitimate employee's account, they had access to everything that employee could access — and with the right privileges, that turned out to be quite a lot.
MGM's public infrastructure was also compromised. The company's website, mobile app, and rewards programme were all affected. Guests checking in were handed physical room keys. Casino workers processed transactions by hand. The operational damage was, by any measure, catastrophic.
The term "MFA fatigue" sounds like jargon, but the mechanics are straightforward and the psychology is sound.
Modern enterprise environments typically use push-based multi-factor authentication — systems like Duo Security, Microsoft Authenticator, or Okta Verify that send a prompt to a registered mobile device: "Did you just try to log in?" The user taps Approve or Deny. No code to read, no token to enter. Just a tap.
The attack works like this: the attacker has already obtained valid credentials, either through social engineering, credential stuffing, or purchase on underground markets. They begin repeatedly attempting to log in with those credentials. Each attempt fires a push notification to the legitimate user's phone. The attacker does this dozens of times — sometimes at 2am, sometimes in short rapid bursts — without pausing.
Eventually, one of several failure modes occurs. An employee woken repeatedly in the night taps Approve to make the alerts stop. Someone mistakes the notifications for a system glitch and approves one to clear it. Or — in the more refined variant Scattered Spider also used — the attacker calls the employee directly while the bombing is underway, impersonates IT support, and explains that there's a technical error requiring them to "approve the notification you're about to receive to fix it." The employee, primed by the explanation, approves it.
The Cybersecurity and Infrastructure Security Agency documented this technique in a 2022 advisory specifically warning about MFA fatigue attacks, noting that threat actors had used it to bypass MFA protections at multiple organisations. The recommended mitigations have since become standard guidance: number-matching MFA, where the user must enter a specific number displayed on the login screen into the app (preventing accidental approvals), and phishing-resistant MFA based on FIDO2/WebAuthn standards, which ties authentication cryptographically to the exact domain and device being used. Hardware keys like YubiKey or Google Titan cannot be fatigue-bombed — they don't respond to push notifications at all.
Scattered Spider supplemented their MFA fatigue campaigns with SIM swapping — convincing mobile carrier customer support staff to transfer a victim's phone number to an attacker-controlled SIM card. With control of the victim's number, the group could intercept SMS-based verification codes without needing the phone itself. The same social engineering playbook used against corporate help desks was applied to carrier support lines: research the target, impersonate the account holder, manipulate a low-paid support employee operating under pressure to resolve tickets quickly.
Scattered Spider — also tracked as UNC3944 and Octo Tempest — is unusual in the threat landscape for several reasons. Microsoft's threat intelligence team published a detailed profile describing them as "one of the most dangerous financial criminal groups" currently active, noting their particular skill at bypassing multi-factor authentication through social engineering and SIM swapping. Unlike the Russian APT groups or North Korean state actors that dominate cybersecurity headlines, Scattered Spider is believed to be composed largely of native English speakers, primarily from the United States and United Kingdom. Some members are suspected to have been minors at the time of the MGM attack.
They communicate on Telegram and Discord. They are products of the internet in a way that older criminal organisations are not — comfortable with cloud infrastructure, fluent in corporate IT jargon, and adept at real-time collaboration during live intrusions. Researchers who have monitored their communications describe a group that is creative, adaptive, and, by some accounts, surprisingly young.
Their primary weapon is social engineering, and they deploy it with a level of conviction that is genuinely difficult to defend against. In documented incidents, members have called IT help desks while impersonating employees, vendors, and even auditors. They know what questions they will be asked, because they have researched their targets thoroughly. They know how to convey frustration at being locked out of their own account. They know when to escalate to a supervisor.
Scattered Spider didn't emerge from nowhere. The group is deeply embedded in what researchers call the "Com" — a loose, overlapping network of English-speaking cybercriminals who coordinate primarily through Telegram channels, Discord servers, and private forums. The Com is not a single organisation with membership cards and a hierarchy; it's more like a scene. People move in and out of different crews, skills are traded and taught, and reputation is built through public demonstrations of successful attacks.
Researchers at CrowdStrike who have tracked the group describe a community that recruits aggressively, shares tooling openly within trusted circles, and practices attacks through rehearsal and role-playing. Social engineering scripts are workshopped in group chats. Voice recordings of successful calls circulate as proof of skill and as training material. Members who show aptitude for specific roles — caller, researcher, technical operator — get pulled into increasingly ambitious operations.
The group's relative youth is not an accident. Social engineering requires the ability to sound convincingly like a peer, a colleague, or an authority figure in real time. Native English speakers who grew up with corporate jargon and institutional processes can simulate them authentically in ways that non-native speakers or older criminals often cannot. The Com actively sought people with good phone manners and no accent.
Communication during live intrusions happened over Telegram and, reportedly, Discord voice channels — allowing the group to coordinate in real time as an attack unfolded, with different members handling the phone call, the technical exploitation, and the reconnaissance simultaneously. It's operationally closer to a startup sprint than to the lone-hacker-in-a-basement stereotype.
MGM and Caesars were the most publicly visible Scattered Spider targets in 2023, but they were far from the only ones. Security researchers and law enforcement have attributed attacks to the group across a wide range of sectors, building a picture of what they actually went after.
Telecommunications companies were an early focus. Scattered Spider targeted multiple US carriers — including T-Mobile, which reported a breach in 2021 that investigators linked to techniques consistent with the group — partly to facilitate SIM swaps. Owning a telco's internal systems gives a criminal group access to customer phone numbers on an industrial scale, dramatically expanding their SIM-swapping capacity.
Technology companies were targeted for their cloud environments. Microsoft's threat intelligence team noted in their Octo Tempest profile that the group had targeted companies for access to Microsoft 365 and Azure tenants, using that access to pivot into managed service providers and their downstream customers. A breach of one IT managed services firm could yield access to dozens of client organisations simultaneously.
Cryptocurrency firms were targeted for obvious financial reasons. Several crypto exchanges and Web3 companies reported incidents consistent with Scattered Spider's methods — social engineering into the platform followed by extraction of digital assets. Unlike fiat currency, crypto transfers are irreversible and difficult to trace when moved through mixers and privacy chains.
The pattern across these targets reflects a group that was systematic rather than opportunistic. They identified sectors where social engineering combined with cloud credential access would yield either large ransoms or liquid assets, and they industrialised that process across multiple concurrent campaigns.
Analysing an attack in hindsight is always easier than defending against it in real time, and MGM is not unique in the failures the Scattered Spider attack exposed. But those failures are worth naming specifically, because the same gaps exist in countless other organisations.
Identity verification on the help desk was too easy to fake. The information needed to pass MGM's phone verification — name, employee ID, job title — is findable on LinkedIn within an hour. Help desk procedures built around information that is, by design, semi-public are not verification procedures; they're a formality. Industry guidance following the attack has focused on implementing verified callback procedures, where the help desk hangs up and calls back the employee on a number already registered to their account in the HR system — not a number provided by the caller.
MFA reset was a single point of failure. Once the social engineering call succeeded, the attacker could request an MFA reset through standard help desk procedures. This reset then gave them direct access to the target employee's account. Robust security architecture requires out-of-band MFA reset approval — a separate confirmation channel that an attacker who has only compromised one channel cannot access. That might be a notification to the employee's manager, a video-call identity verification, or a hardware-backed challenge. The specifics matter less than the principle: resetting credentials through the same channel an attacker could have compromised defeats the purpose.
Privileged accounts didn't require elevated confirmation. Once inside the initial account, the group was able to move toward accounts with administrative access over Okta and cloud infrastructure. The principle of least privilege — giving users only the access they need for their specific role — was apparently not enforced strictly enough to limit lateral movement. And privileged administrative actions — particularly changes to identity provider configurations — did not appear to require additional authentication or managerial sign-off.
Okta's environment was not segmented effectively. Identity providers are inherently high-value targets because they control access to everything else. Compromising an Okta tenant is analogous to stealing a master key. Security architecture that treats the identity provider as just another piece of enterprise software — rather than as a uniquely sensitive target requiring additional isolation, monitoring, and change controls — is underweighted on risk.
MGM was not Scattered Spider's only major target that month. Caesars Entertainment — operator of Caesars Palace and dozens of other properties across the United States — was also compromised through similar social engineering techniques, with the initial breach occurring through a third-party IT vendor.
The outcomes, however, differed sharply. Rather than endure the public disruption MGM experienced, Caesars negotiated with the attackers. According to reporting by Reuters, Caesars paid approximately $15 million — roughly half of the initial $30 million demand.
Caesars disclosed the breach in a quiet SEC filing. MGM refused to pay and weathered the consequences publicly. Neither outcome is straightforwardly better than the other. Caesars avoided operational chaos but handed money to criminals and set a precedent that paying works. MGM took the reputational hit but denied the attackers their payday.
Security experts are divided on the right approach. The FBI consistently advises against paying ransoms, arguing that payments fund future attacks and provide no guarantee that stolen data won't be sold regardless. The counterargument is that when operational disruption costs $100 million, a $15 million payment starts to look rational. These are decisions that companies are now routinely forced to make, with no good options.
In May 2024, the US Department of Justice charged five individuals in connection with Scattered Spider's attacks on MGM, Caesars, and other companies. The defendants, aged between 19 and 23, were charged with wire fraud conspiracy and aggravated identity theft. Arrest warrants were issued.
The charges represented a significant law enforcement action against a group that had previously operated with what appeared to be near-total impunity. Whether the prosecutions will meaningfully disrupt the group's activities remains to be seen. Decentralised, internet-native criminal organisations have historically proven resilient to targeted arrests.
The MGM breach is a useful case study not because it was technically extraordinary — it wasn't — but because of how thoroughly it exposed the limits of conventional security thinking.
Companies spend enormous sums on firewalls, endpoint detection, encryption, and zero-trust architecture. These investments are not wasted. But the MGM attack required none of them to be circumvented. The attacker didn't break through the wall. They walked through the front door, because someone held it open.
Help desk social engineering is not a new problem. It is not even a particularly clever one. The solution — stricter identity verification protocols, out-of-band confirmation for sensitive requests, limits on what can be reset over the phone — is well understood. The challenge is operational. These protocols add friction. They slow down legitimate requests. They frustrate employees who genuinely need help. And in large organisations, the pressure to resolve tickets quickly is constant.
The lesson, ultimately, is that security culture matters as much as security technology. The most sophisticated intrusion detection system in the world cannot protect you from a help desk employee who has been trained to be helpful above all else.
The good news, if there is any, is that defending against social engineering attacks like Scattered Spider's does not require exotic technology. It requires specific procedures, consistently enforced.
Verified callback numbers for all identity-sensitive requests. Every help desk that handles account resets or access changes should have a protocol: hang up, look up the employee's registered phone number in a locked HR or identity system, call them back on that number. The callback number must come from the identity system — not from the caller, not from a directory the caller could have modified. This single control defeats the social engineering cold-call at the first step.
Out-of-band MFA reset approval. Any request to reset MFA credentials should require a confirmation through a channel that was established before the request. A manager approval via a pre-authenticated Slack or Teams message, a physical in-person verification with HR, or a confirmation email to the account's backup address. Critically, the backup address and phone number in the system must themselves have been established through a verified process — not simply self-reported by the account holder or, worse, the caller.
Manager confirmation for privileged account changes. For accounts with elevated access — system administrators, identity provider admins, accounts with access to financial systems — any change to authentication credentials should require a second authorisation from a manager or security officer. One ticket, one approval is not enough for accounts that can open every door. This is operationally inconvenient. It is also the correct tradeoff.
MFA that can't be fatigue-bombed. Replacing push-notification MFA with number-matching MFA eliminates most accidental approvals. Replacing push MFA entirely with hardware security keys — for privileged and IT accounts in particular — eliminates the attack surface entirely. Hardware keys don't fire push notifications that can be ignored or accidentally tapped; they require physical presence and intentional use.
Monitoring for unusual help desk patterns. A sudden surge in password reset requests, multiple requests for the same account, or requests that come outside normal business hours should trigger elevated scrutiny rather than routine processing. Security information and event management (SIEM) tools can surface these patterns if the right alerting rules are configured. Many organisations have the tooling; they haven't configured it to watch the help desk.
Regular social engineering simulations. Tabletop exercises that specifically walk help desk staff through realistic scenario calls — where someone playing a convincing attacker tries to extract access — are more effective than awareness training alone. The goal isn't to trick employees into failure and shame them; it's to build the mental muscle of scepticism so that the procedures feel natural, not paranoid.
None of these controls requires a large budget. Most require updated procedures and consistent training. The gap between an organisation that is vulnerable to what Scattered Spider did to MGM and one that is meaningfully more resistant is not primarily a technology gap. It is a process gap. And process is fixable.
For practical steps on protecting your own accounts against credential-based attacks, see our guide to the best password managers in 2025.
In May 2021, a ransomware attack shut down the largest fuel pipeline in the United States, triggering fuel shortages across the East Coast. The entry point: one password, leaked from a breached account, sitting on the dark web.
