Inside Scattered Spider (aka Sp1d3rhunters): The shadowy group behind the Jaguar Land Rover cyber incident

This post is the second one in our series on the Jaguar Land Rover cyber incident. You can read the first part here.

The emergence of Scattered Spider, also known as Sp1d3rhunters or Shiny Hunters, the group claiming responsibility for the Jaguar Land Rover cyber incident, signals a new evolutionary leap in the global threat actor TTP landscape. What sets them apart is their carefully crafted modus operandi, one that fuses three potent ingredients for instant notoriety in cyberspace viz., customer data, large brands and a unique revenue and op. model to target victims.

To the untrained eye, Scattered Spider, may appear as just another threat actor chasing ransom. However, when you scratch the surface, you will start seeing operational layers that unambiguously point to a higher level of evolution both in terms of TTPs and in terms of post-incident pressure tactics. Let us now understand the group in detail to understand why the Jaguar Land Rover incident is proving to be such a long-drawn affair.  

This group surfaced in the year 2020 through a series of global breaches. We have reasons to believe that the group was started by former members of ALPHV and RansomHub. The group was possibly incubated by either of these groups and provided stolen data and credentials to breach target networks in its initial stages. Using a best-of-breed approach, Scattered Spider, quickly gained a life of its own and as the revenue counters started humming, the group started paying more attention to its business model.

Between 2021 and 2023, the group underwent a series of leadership changes with the average age of leadership shrinking by nearly a decade. During this period, several new individuals entered the groups while the elders moved out. The newbies settled down fairly quickly and continued to scale operations as is evident from the list of successful crimes committed by Scattered Spider, even during the transition period.

Even for the most sophisticated threat actors, the business and operational models are mostly about raking in ransom while they can and then disappearing in the shadows. ShinyHunters is an exception to this trend. Not only has Scattered Spider, developed many models to sustain revenue for its operations, it also runs one of the most mature ransomware-as-a-service operations with multiple affiliate friendly revenue sharing models. Small wonder that its affiliate base grew by a whopping 700 percent in the last two years.

They are easily among the most collaborative and cyber crime groups out there. Thanks to a fluid leadership structure with deep links to multiple established threat actors, ShinyHunters has many active cyber crime projects running with groups around the world. Today, a large number of the over 400 cyber incidents attributed to the group are carried out by affiliates through the revenue sharing model.

Targeting large brands

In addition to seeking publicity for its actions, Scattered Spider, had large brands in its crosshairs since it commenced operations. In its initial phases, the targets were a blend of large and small brands chosen ostensibly for revenue. Zoosk, Home Chef, Minted, Chatbooks, and the Chronicle of Higher Education, Tokopedia and Wattpad were among its early victims.

In the subsequent years, as the new leadership began settling in, the group scaled up its operations to target many small and medium businesses that paid off ransoms quietly fearing regulatory attention or investor scrutiny.

In 2024, the group went behind AT&T, Twillo and Ticketmaster among other large brands gathering confidence and an unquenchable hunger for publicity in the process. As the year 2025 arrived, the group had grown and its affiliates spread tentacles across the web netting several large brands including:

· Google: Breached through a third-party CRM environment, exposing contact information of business customers.

· Kering (Gucci, Balenciaga, Alexander McQueen): Customer data from the luxury fashion group was compromised.

· LVMH (Louis Vuitton, Dior, Tiffany & Co.): Gained access to a customer information database

· Air France-KLM: Customer service data, including names and loyalty program information, was accessed.

· Adidas: Customer service tickets were allegedly stolen.

· Chanel: A client care database was compromised.

· Pandora: Customer profiles were accessed.

· Qantas: Customer data stored in a CRM platform was breached.

· Allianz Life: The North American branch of the insurance giant was targeted.

· Cisco: User profile information from a CRM system was stolen.

· Cartier: Limited client information was accessed.

· Workday: A customer support database was breached.

· Vietnam's National Credit Information Center (CIC): Scattered Spider, claimed to have exfiltrated nearly 160 million records.

Modus operandi

Unlike other groups, that rely purely on domain impersonation, phishing and vishing, Scattered Spider, went a step further by blending these methods with manipulation of MFA applications. The attack begins with a call placed by a gang member pretending to be from the support team to a pre-identified employee. The employee is guided to deploy a modified data loader to enable the gang member to gain access to the CRM data.

The attack is then escalated to target multiple systems. From the preliminary information available, it seems that the group was able to penetrate deep within the networks of Jaguar Land Rover with access to multiple applications and data. It appears that Jaguar is trying to control the spread of the breach by disabling the impacted systems. However, in the initial days when the exact blast radius was unknown, it is possible that some impacted systems in Jaguar Land Rover were kept ‘alive’ leading to loss of data, extension of system impact and delayed recovery. 

Leaking data, double extortion and open threats from across social platforms is a common tactic used by this group. Scattered Spider, is also known to use stolen credentials and hi jacked victim applications to send phishing mails to entirely new potential victims. 

What about the arrests?

The US and UK recently charged two members of the group who were arrested earlier. Such arrests as well as a message sent by the group on its Telegram channel which said “We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark,” indicate that the group is just covering tracks and fading for the time being to bounce back later. The leadership of the group is still at large and we will they will reappear as a rebranded org very soon.

Get a custom threat briefing for your organisation. Talk to our threat research team.