According to victims, digital crime experts, and cybersecurity responders, the federal law enforcement agency has struggled to stop a highly sophisticated cybercrime syndicate targeting corporate America for two years.
Known as the Scattered Spider, this casino hacking group has continued carrying out attacks on casino operators to steal sensitive customer data and payment information. According to four individuals familiar with the investigation, the US Federal Bureau of Investigation (FBI) has been aware of the identities of at least twelve individuals associated with the hacking group responsible for the severe September breaches at casino operators MGM Resorts International and Caesars Entertainment for over six months.
Industry executives and tech experts are particularly concerned about the lack of arrests despite many of the known hackers operating from within the US border.
An Elusive Web of the ‘Scattered Spider’
According to sources familiar with the matter, the FBI has faced significant difficulties in disrupting the activities of a hacking gang that has targeted casinos across North America and Europe through sophisticated cyber attacks and theft schemes.
Code-named ‘Scatter Spider’ by cybersecurity researchers due to the wide geographic spread of its criminal operations, the gang is reported to have compromised casino networks and stolen tens of millions of dollars through unauthorized credit card transactions and manipulation of slot machines and electronic table games.
The gang uses tactics such as credential stuffing, SQL injection, and supply chain compromises to breach casino networks. Once inside, they can exfiltrate valuable customer and financial data.
Scatter Emerged in the Mid-2010s
Casino cybersecurity experts first began noticing the Scatter gang’s activities around 2015. It is believed the hackers began by targeting small, regional casino operators with less robust security protocols.
Unlike roulette cheats, the attacks involved infiltrating casino networks and installing sophisticated malware that allowed criminals to manipulate slot machines and table games from a remote location. This enabled the theft of funds from player accounts as well as the siphoning of winnings before they were paid out.
As casinos strengthened their cyber defenses in response, the casino hackers adapted their tactics. They began leveraging phishing campaigns and credential theft to compromise employee and vendor accounts with higher levels of network access. This allowed the implantation of more advanced backdoors and persistence mechanisms, giving the criminals long-term control of the hacked systems.
According to sources, the Scatter Spider group was even able to infiltrate some casino cybersecurity teams’ monitoring systems, giving them visibility of detection efforts. Successfully investigating transnational cyber crimes and identifying the individuals behind them presents immense challenges for law enforcement. The Scatter Spider members are known to carefully cover their tracks, relying on proxies, cryptocurrencies, and dark web communications to obscure their activities and membership.
Global Expansion and Sophisticated Attacks
By 2018, the cybercrime group had expanded its operations globally and targeted major casino operators and brands. Their attacks became even more sophisticated, relying on living-off-the-land (LOTL) tactics to blend in with normal network activity.
Stolen credentials were used to initiate unauthorized financial transactions, such as large wire transfers, that were harder for casinos to detect. It is estimated the Scatter Spider has stolen tens of millions of dollars through these cyber heists, though the full scope of losses is difficult to determine.
Challenges for Law Enforcement
Casino operators and cybersecurity researchers began coordinating with the FBI around 2017 as the scale and sophistication of the Scatter gang’s activities grew. However, successfully investigating a transnational cybercrime group operating through the dark web poses immense challenges.
The hackers use proxies and cryptocurrencies to obscure their locations and transactions. Their digital operations are carefully designed to avoid leaving behind evidential trails tied to any specific individuals.
FBI cybercrime investigators based in the US have limited jurisdiction and legal authority overseas, where many of the Scatter Spider’s operations are believed to be based. International cooperation is needed but can be complicated and slow-moving. Building legal cases that could lead to prosecution is further hindered by the technical challenges of positively attributing the complex attacks to specific suspects.
Lack of International Cooperation Hampering FBI Efforts
According to industry observers, the Scattered Spider likely originated from Eastern Europe. The diffuse, international nature of the hacking group has impeded the FBI’s ability to infiltrate their operations or encourage arrests by local authorities. Countries such as Russia are unlikely to expedite requests for apprehension or extradition.
Besides, much of the infrastructure used in casino hacking groups’ cyberattacks leverages cryptocurrencies and dark web communication channels. These technologies provide additional anonymity to mask the identities of suspects. Investigators have struggled to conclusively trace stolen data or funds to identify gang participants.
So far, the FBI and other law enforcement have only managed to prosecute one affiliate member of the Scattered Spider gang. Federal agents arrested a Singaporean in 2021 for his role in hacking Sightline Payments, a Las Vegas-based digital payments processor focused on the casino industry. He received a 12-month prison sentence after cooperating with investigators.
Ongoing Threat to Casino Operators
The Scattered Spider poses an ongoing threat to casinos and hospitality providers in North America and around the world, including Singapore, Macau, and China. Cybersecurity analysts have tracked their activities since 2016 as they continue honing their methods for penetrating networks and harvesting sensitive customer information.
Once they extract payment card numbers, Social Security numbers, driver’s license information, and other private data, Scattered Spider affiliates allegedly sell access to this information via dark web marketplaces. Buyers then leverage the data for identity fraud or financial theft targeting individuals.
This resale of hacked consumer data via cryptocurrency transactions provides additional difficulties for the FBI to track down and prosecute the cybercriminals. Investigators have much less visibility into dark web activities as compared to traditional financial networks.
At the heart of these concerns lies a notorious hacking group known as Scattered Spider. Operating with brazen audacity since 2021, the cybercrime group has woven a web of sophisticated intrusions, stealing millions from casino coffers and leaving a trail of digital footprints seemingly beyond the reach of law enforcement. The lack of arrests by the FBI following the September hacking incidents at Las Vegas casinos owned by Caesars Entertainment and MGM Resorts International has raised concerns among professionals in the cybersecurity industry.