Risky Bulletin: Episode Summary Episode Title: Srsly Risky Biz: Four Key Players Drive Scattered Spider
Host: Amberly Jack
Guest: Tom Uren, Policy and Intelligence Editor at Risky Biz
Release Date: July 10, 2025

Introduction

In this episode of Risky Bulletin, host Amberly Jack engages in an insightful discussion with Tom Uren, the Policy and Intelligence Editor at Risky Biz. The conversation delves into two major cybersecurity topics: the organizational structure of the cyber threat group Scattered Spider and the implications of Chinese espionage data leaks being sold on underground forums.

Scattered Spider: Understanding the Organizational Structure

Amberly Jack initiates the discussion by highlighting the recent focus on Scattered Spider, a prominent cyber threat group. She notes the shift from viewing them as a loosely connected community to identifying specific key players within the group.

"Scattered Spider, whether you call them a group, a community, a vibe, causing all kinds of chaos, especially over the past few months." [00:59]

Tom Uren elaborates on the evolution of Scattered Spider, tracing its roots back to the teenage group Lapsus. He explains how their sophisticated social engineering and SIM swapping techniques have led to substantial disruptions.

"Originally, there was a group of teenagers called Lapsus... they've been just tremendously successful at breaking into all sorts of organizations." [01:38]

He further discusses recent reports from threat intelligence firms Halcyon and CrowdStrike, both indicating that Scattered Spider is driven by just two to four key players. This revelation suggests a more centralized command structure than previously believed.

"Cynthia Kaiser... said that there's only two to four key players... Adam Myers from CrowdStrike... said there's maybe four key players." [02:15]

Amberly reflects on the significance of this finding, comparing the influence of these key figures to that of project managers in large corporations.

"Regardless whether you're like a massive construction industry corporation or cybercrime, it all comes down to having the right project manager." [06:03]

Tom emphasizes the potential leverage in targeting these key individuals, drawing parallels to successful interventions where central figures were rehabilitated rather than solely relying on arrests.

"There's a point of leverage that people can target... figure out who those people are and do something about them." [06:14]

The discussion underscores the importance of focusing cybersecurity efforts on these pivotal actors to effectively disrupt Scattered Spider's operations.

Chinese Espionage Data Leaks: A New Market Emerges

Shifting gears, Amberly brings up Tom's analysis of recent data leaks involving Chinese espionage groups being sold on underground forums, expressing amusement at the potential rise of a "Chinese espionage for service" market.

"You seem kind of gleeful in your hope that this may be the beginning of a Chinese espionage for service market." [09:17]

Tom provides a detailed account of the situation, contrasting it with previous Russian data leaks. He highlights how Chinese cyber espionage materials are being offered on platforms like Darkforums, complete with actionable intelligence such as IP addresses, names, and phone numbers of compromised individuals.

"Salt Typhoon is the group that has had just tremendous success compromising U.S. telecommunications companies... it's offered the people who work for Salt Typhoon... their password and IP addresses." [11:00]

He points out the practicality of the leaked information, suggesting it could significantly aid efforts to track and counteract groups like Salt Typhoon.

"It felt like this stuff is probably worth buying and if you buy it, you may encourage a market and that would be a great thing." [12:30]

Amberly humorously remarks on the commercial nature of these leaks, likening them to products in an auction.

"It sounds like something that a few people might want to put the auction paddle up for and have a little peruse over." [14:41]

Tom contrasts the current Chinese leaks with earlier Russian ones, noting the increased actionable value and the likelihood of budget allocation within intelligence agencies to purchase such data.

"This feels like something it would be worth spending money for... it felt like there was a... an organizational dynamic that might encourage people to give up their personal budget to buy this stuff." [15:01]

He also observes the strategic choice of using English-language forums over platforms like Telegram, possibly to evade Russian government surveillance.

"It's an English language forum rather than Telegram. And so Telegram, it seems like the Russian government probably has access. And so this seems like a wiser choice as well." [16:15]

The segment concludes with Tom highlighting the actionable nature of the leaked data, emphasizing its potential in enhancing cybersecurity defenses against espionage activities.

Conclusion

The episode wraps up with Amberly thanking Tom for his valuable insights and encouraging listeners to subscribe to his Seriously Risky Business newsletter for more in-depth analyses.

"You can subscribe to Tom's Seriously Risky Business newsletter at Risky Biz." [16:34]

Key Takeaways

1. Scattered Spider's Structure: Recent intelligence suggests that Scattered Spider operates under the guidance of a few central figures, making targeted disruption strategies more feasible.

2. Chinese Espionage Leaks: The sale of actionable espionage data on English-language forums could signify the emergence of a marketplace for intelligence information, potentially altering the landscape of cyber espionage and defense.

3. Actionable Intelligence: The availability of detailed and practical data from espionage leaks presents both challenges and opportunities for cybersecurity professionals in mitigating threats.

For more detailed analyses and updates on cybersecurity threats, subscribe to Risky Business and their accompanying newsletters.