Scattered Spider, an aggressive cybercrime gang, has escalated its SIM-swap attack campaign by targeting some of the world’s most prominent airlines in 2025. Once known for smaller-scale exploits and having roots in online gaming communities, the group has evolved into one of the most effective and persistent cybercrime gang that has forced the hands of major companies and law enforcement agencies across the globe to rethink their cyber-defensive strategies.
The cybercriminal group, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, was linked earlier this year to coordinated cyberattacks against Canada’s second-largest airline, WestJet, which brought the company’s internal services and the availability of its mobile app to a halt.
According to Bleeping Computer, it was reported that Scattered Spider “gained access by performing a self-service password reset for an employee, which enabled them to register their own MFA and obtain remote access to the network through Citrix.”
Following this attack was another cyberattack on Hawaiian Airlines, which wasn’t initially confirmed by the company. It was Sam Rubin, a Senior Vice President of Consulting and Threat Intelligence at Palo Alto Networks, who confirmed through a LinkedIn post that Scattered Spider had expanded the horizon of the industries it now deemed targetable.
“Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry,” Rubin alerted in a LinkedIn post. “Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”
At the heart of these Scattered Spider’s breaches is the gang’s advanced use of SIM-swapping. This technique involves manipulating mobile carriers into transferring a victim’s phone number onto a SIM card controlled by the attackers. This means by gaining control of a target’s phone number, hackers can intercept authentication codes, easily bypass SMS-based two-factor authentication (2FA), and gain access to sensitive corporate networks.
This technique is also complimented by the cybercriminal group’s help desk social engineering methods. With the inclusion of English-speaking people in the gang, they call corporate help desks, armed with employee data that were harvested from prior breaches and social media. They then impersonate staff members, using urgency and persuasive tactics to get operators to reset passwords, disable multi-factor authentication (MFA), or grant other forms of access.
The aviation sector, in particular, faces unique risks as attackers are shifting focus to the large presence of customer data and the digital infrastructure that supports air travel operations in the industry. Although the recent attack on Hawaiian Airlines did not exactly disrupt flights, the threat to the critical infrastructure is very clear.
“Hawaiian Airlines is continuing to address a cybersecurity event that has affected some of our IT systems. We continue to safely operate our full flight schedule, and guest travel is not impacted,” the company said after the breach. “As we navigate the ongoing event, we remain in contact with the appropriate experts and federal authorities. We will provide updates as more information is available.”
People believe the threat actors associated with Scattered Spider are also a part of “The Com” which, according to Bleeping Computer, is a “loose-knit community of threat actors known for financial fraud, cryptocurrency theft, data breaches, and extortion attacks.” The Scattered Spider gang have also been reported to be in association with Qilin, a Russian-speaking cybercrime group who recently claimed responsibility for a cyberattack on NYC’s 550 Madison Avenue.
As Scattered Spider continues to evolve and law enforcement agencies intensify their pursuit, the cybercrime landscape is now at a critical point, especially with the development of artificial intelligence (AI) now in the mix. The group’s sophisticated blend of social engineering tactics and cybercrime technical expertise now targeted at critical industries like transportation, represents a paradigm shift in the cybersecurity world. It challenges traditional security approaches and demands quick innovative defensive strategies from organizations worldwide, as well as require that companies sit tight with their defensive strategies.
It is for this reason that Palo Alto Networks and Google Threat Intelligence Group (GTIG) both released an advisory-like guide for companies to defend themselves against tactics that are associated with the Scattered Spider gang.
