Risky Bulletin – Between Two Nerds: The Keyser Soze of Scattered Spider
Podcast Host: Risky.biz
Episode Date: October 13, 2025
Co-Hosts/Speakers: Tom Yuan (B) and Gruk (A)
Episode Overview
This episode dives into the evolving tactics of the cybercrime group Scattered Spider, focusing on their alleged recruitment of insiders for network access and comparing their operational style to more "professional" ransomware crews like Medusa. Tom and Gruk explore the group’s motivations, operational culture, and the broader implications for the cybersecurity landscape, all with the usual Risky Business blend of technical insight and irreverent wit.
Key Discussion Points & Insights
1. Scattered Spider’s Insider Recruitment Tactics
- Scattered Spider is reportedly offering staff up to 25% of illicit revenue for Active Directory (AD) access, and 10% for Okta, Azure, or AWS root credentials ([01:04]).
- Gruk: "There's a premium for Microsoft skills, I guess."
- Tom: "Is it a premium for Microsoft skills? Or that if you get ad access, like, that's three quarters of the job done."
- Gruk: "That's the entire job done." ([01:27])
- The co-hosts question how novel this "insider" recruitment really is, noting that groups like Lapsus$ did this years ago.
2. Effectiveness & Culture of Insider Outreach
- The offers to employees to provide network access are seen in Telegram channels but are met with skepticism about effectiveness.
- Tom: "It sounds reasonable enough. But that's the sort of thing that only happens if you don't have any better alternative."
- He optimistically suggests this might mean external security is improving, forcing attackers to seek insiders.
- Gruk is doubtful: "Yeah, I don't think that that's true." ([03:38])
3. Scattered Spider’s Motivation: Sport, Not Profession
- Hacking as Social Activity:
- Tom: "For Scattered Spider, it seemed that hacking was a sport and not a job." ([04:42])
- Gruk: "It's not even a sport. It's hanging out with your friends and playing darts. Whether you win or lose, that's not necessarily the point… You're there to hang with your friends and you play darts." ([03:53])
- The group’s activities are driven more by social dynamics and entertainment than by money: "You're stealing a few million dollars. Whether you get it or not, whatever." ([04:26])
4. The Professional Ransomware Model vs. Scattered Spider
- Medusa/Professional Gangs:
- Tom: "The Medusa Gang, they're air quotes, professional cyber criminals… He's got milestones and key expected results and… probably got a family he wants to get back to, or at least a yacht." ([16:51])
- The professional crews prioritize efficiency, minimal risk, and financial gain.
- Scattered Spider:
- Gruk: "If you're Scattered Spider, your business and your life is the exact same thing. You're spending your entire day hanging on this Discord chat… sometimes making phone calls." ([17:15])
5. Notable Anecdotes & Comparisons
- Historic Parallel: Paying insiders is not new—"old time professional thieves" would also pay insiders about 10% of the take ([06:47-09:04]).
- Operational Risk:
- The insider always provides an easy target for law enforcement:
- Gruk: "The funny thing about paying off an insider is that it means that the police have someone they can nab." ([09:04])
- The insider always provides an easy target for law enforcement:
6. Language and Operational Barriers
- Many ransomware operators, especially Russian groups, can’t social engineer English-speaking helpdesks effectively.
- Tom: "If you don't speak English, social engineering is probably not your jam." ([12:22])
- Gruk: "That's why this story makes sense. And conversely, the opposite story of Scattered Spider trying to buy insider access didn't really make sense because where's the fun in that?" ([12:50])
7. Payment Logistics and Trust Issues
- Insiders are sometimes offered significant sums, such as “half a bitcoin, about $55,000,” upfront ([14:34]).
- Skepticism about whether insiders actually get paid or whether these offers are even real.
8. Group Dynamics: Collaboration or Chaos?
- Why wouldn’t Russian crews partner with Scattered Spider for better social engineering?
- Gruk: "You couldn't pay me half a bitcoin to hang out with the Scattered Spider kids." ([16:21])
- Scattered Spider members are painted as unruly, socially chaotic, and almost impossible for “professional” criminals to collaborate with.
9. Where Motivation and Opportunity Collide
- Russian crews = efficient, money-driven.
- Scattered Spider = fun-driven, anarchic, money is a byproduct.
- Tom: "With the Scattered Spider kids… the journey is the destination. The money is just a side effect of having fun online." ([21:05])
10. Redefining Threat Actor Motivation
- Gruk: "Calling Scattered Spider a financially motivated threat actor is a complete misnomer… they're a sh*t and giggles motivated threat actor that happens to make a lot of money." ([22:02])
- They may inadvertently create a new threat category:
- Tom: "There you go. A new, entire new category of threat actor." ([22:20])
Notable Quotes & Memorable Moments
- "That's the entire job done." (Gruk – re: obtaining AD access, [01:34])
- "Hacking was a sport and not a job." (Tom, [03:42])
- "It's like playing darts in your garage by yourself instead of at the pub with your friends." (Gruk, [05:29])
- "I promise I'll pay you." (Gruk, mocking ransomware insider offers, [06:39])
- "The funny thing about paying off an insider is that it means that the police have someone they can nab." (Gruk, [09:04])
- "If you don't speak English, social engineering is probably not your jam." (Tom, [12:22])
- "You couldn't pay me half a bitcoin to hang out with the Scattered Spider kids." (Gruk, [16:21])
- "With the Scattered Spider kids… the journey is the destination. The money is just a side effect of having fun online." (Tom, [21:05])
- "Calling Scattered Spider a financially motivated threat actor is a complete misnomer… they're a sh*t and giggles motivated threat actor." (Gruk, [22:02])
- "There you go. A new, entire new category of threat actor." (Tom, [22:20])
Timestamps for Important Segments
- [01:04] Insider recruitment incentives by Scattered Spider
- [03:30] Debate on whether improved security is forcing attackers to seek insiders
- [04:42] Social engineering as group entertainment
- [06:47] Parallels to old time professional thieves’ insider payments
- [09:04] Law enforcement’s advantage when insiders are involved
- [12:22] Language barriers and the limitations of social engineering for foreign groups
- [14:34] Discussion on how ransomware groups propose to pay insiders
- [16:21] Why professionals don’t collaborate with Scattered Spider
- [21:05] Scattered Spider’s real motivation: fun, not finances
- [22:02] Redefining what kind of threat actor Scattered Spider actually is
Conclusion: A New Category of Threat Actor
The episode concludes by positioning Scattered Spider not as traditional, financially motivated cybercriminals, but as a group for whom hacking is primarily a social, chaotic, and entertaining activity, with financial gains as a mere side effect. This contrasts sharply with the methodical, profit-driven approach of "professional" ransomware gangs, introducing a new kind of threat actor to the landscape—one motivated by "sh*t and giggles," not spreadsheets and bank accounts.
Summary prepared for Risky Bulletin listeners & infosec professionals who want insight into the ever-evolving world of cyber threat actors.