Shields Up US Retailers: Scattered Spider Threat Actors Can Target Them

A warning has been issued to US retailers by Google researchers, who have discovered that the cybercrime group Scattered Spider, also known as UNC3944, is now targeting companies across the Atlantic. This financially motivated group has a history of social engineering and extortion, having hacked into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.

Initially, Scattered Spider focused on telecoms for SIM swaps, but they expanded their scope to ransomware and broader sectors by 2023. Although their activity decreased following a series of arrests in 2024, ties to other threat actors may have contributed to their potential comeback. The group has targeted high-profile brands, possibly to boost notoriety, and often shifts its focus between different sectors, such as financial services and the food industry.

Google researchers warn that Scattered Spider is now targeting US retailers, shifting its focus across the Atlantic. This comes after threat actors linked to the group allegedly used DragonForce ransomware to target UK retailers, including Co-op, Harrods, and M&S. While GTIG has not confirmed UNC3944's involvement, retail ransomware attacks are on the rise, with 11% of 2025 DLS victims being retailers.

Threat actors target retailers because they manage large amounts of personally identifiable information (PII) and financial data. According to Google, it is plausible that threat actors, including UNC3944, view retail organizations as attractive targets due to their possession of valuable data. Furthermore, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions.

Google experts state that Scattered Spider targets sectors like Tech, Telecom, Finance, BPO, Gaming, Retail, and Media, focusing on large enterprises in English-speaking countries, as well as India and Singapore. They exploit help desks and outsourced IT via social engineering for high-impact attacks. To prevent such incidents, Google has provided proactive hardening recommendations to US retailers.

It is essential for US retailers to take immediate action to protect themselves against Scattered Spider's threat actors. By implementing the recommended security measures, retailers can significantly reduce the risk of a successful attack. Stay vigilant and stay informed about the latest threats and cybersecurity best practices by following reputable sources and security experts on social media.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest news and updates on cybersecurity threats and tips to protect yourself online.