Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’

#### [CSO](/security/cso/)**1** Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’================================================================================================**1** Plus, Co-op tells The Reg: ‘we took early and decisive action’ to block the crooks———————————————————————————-[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Sun 18 May 2025 // 18:30 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27) [](https://twitter.com/intent/tweet?text=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27&url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27&summary=Plus%2c%20Co-op%20tells%20The%20Reg%3a%20%27we%20took%20early%20and%20decisive%20action%27%20to%20block%20the%20crooks) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) INTERVIEW The call came into the help desk at a large US retailer. An employee had been locked out of their corporate accounts.But the caller wasn’t actually a company employee. He was a Scattered Spider criminal trying to break into the retailer’s systems – and he was really good, according to Jon DiMaggio, a former NSA analyst who now works as a chief security strategist at Analyst1.Scattered Spider is a cyber gang linked to SIM swapping, fake IT calls, and ransomware crews like ALPHV. They’ve breached big names like MGM and Caesars, and despite arrests, keep evolving. They’re tracked by Mandiant as UNC3944, also known as Octo Tempest. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCouWruaL7MtqVlvbHJCJgAAAQM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)DiMaggio listened in on this call, which was one of the group’s recent attempts to [infiltrate American retail](https://www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/) organizations after hitting multiple [UK-based shops](https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/). He won’t name the company, other than to say it’s a ‘big US retail organization.’ This attempt did not end with a successful ransomware infection or stolen data. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCouWruaL7MtqVlvbHJCJgAAAQM&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCouWruaL7MtqVlvbHJCJgAAAQM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)’But I got to listen to the phone calls, and those guys are good,’ DiMaggio told *The Register*. ‘It sounded legit, and they had information to make them sound like real employees.’Scattered Spider gave the help desk the employee’s ID and email address. DiMaggio said he suspected the caller first social-engineered the employee to obtain this data, ‘but that is an assumption.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCouWruaL7MtqVlvbHJCJgAAAQM&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)’The caller had all of their information: employee ID numbers, when they started working there, where they worked and resided,’ DiMaggio said. ‘They were calling from a number that was in the right demographic, they were well-spoken in English, they looked and felt real. They knew a lot about the company, so it’s very difficult to flag these things. When these guys do it, they’re good at what they do.’Luckily, the target was a big company with a big security budget, and it employs several former government and law enforcement infosec officials, including criminal-behavior experts, on its team. But not every organization has this type of staffing or resources to ward off these types of attacks where the would-be intruders are trying to break in from every access point.> They are resourceful, they’re smart, they’re fast’They are resourceful, they’re smart, they’re fast,’ Mandiant CTO Charles Carmakal told *The Register*.’One of the challenges that defenders have is: it’s not the shortage of network alerts,’ he added. ‘You know when Scattered Spider is targeting a company because people are calling the help desk and trying to reset passwords. They are running tools across an enterprise that will fire off on antivirus signatures and EDR alerts, tons and tons and tons of alerts. They operate at a speed that can be hard to defend against.’In this case, sometimes the best option — albeit a painful one — is for the organization to break its own IT systems before the criminals do.* [Cyber fiends battering UK retailers now turn to US stores](https://www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/)* [Marks -& Spencer admits cybercrooks made off with customer info](https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/)* [British govt agents step in as Harrods becomes third mega retailer under cyberattack](https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/)* [Here’s what we know about the DragonForce ransomware that hit Marks -& Spencer](https://www.theregister.com/2025/05/15/dragonforce_ransomware_uk_retail_attacks/)### Co-op pulled its own plugThis appears to have been the case with [British retailer Co-op](https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/), which [pulled its systems offline](https://www.bbc.com/news/articles/cwy382w9eglo) before Scattered Spider could encrypt its files and move throughout its networks.’Following the malicious third-party cyber-attack, we took early and decisive action to restrict access to our systems in order to protect our Co-op,’ a spokesperson told *The Register*. ‘We are now in the recovery phase and are taking steps to bring our systems gradually back online in a safe and controlled manner.’The outfit said customers will see ‘improved stock availability in our food stores and online’ beginning this weekend, and added it is ‘working closely’ with suppliers to restock its brick-and-mortar stores.All payment forms and systems are now up and running across the business, we’re told. ® [Sponsored: Why rapid proliferation of cloud native apps requires faster, more efficient toolsets](https://go.theregister.com/tl/3180/shttps://www.theregister.com/2025/05/13/nutanix_cloud_native_ai_apps/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27) [](https://twitter.com/intent/tweet?text=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27&url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27&summary=Plus%2c%20Co-op%20tells%20The%20Reg%3a%20%27we%20took%20early%20and%20decisive%20action%27%20to%20block%20the%20crooks) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27) [](https://twitter.com/intent/tweet?text=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27&url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-NSA%20bad-guy%20hunter%20listened%20to%20Scattered%20Spider%27s%20fake%20help-desk%20calls%3a%20%27Those%20guys%20are%20good%27&summary=Plus%2c%20Co-op%20tells%20The%20Reg%3a%20%27we%20took%20early%20and%20decisive%20action%27%20to%20block%20the%20crooks) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **1** COMMENTS #### More about* [Cybercrime](/Tag/Cybercrime/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Here’s what we know about the DragonForce ransomware that hit Marks -& SpencerWould you believe it, this RaaS cartel says Russia is off limitsCyber-crime4 days -| 18](/2025/05/15/dragonforce_ransomware_uk_retail_attacks/?td=keepreading) [#### You think ransomware is bad now? Wait until it infects CPUsRSAC Rapid7 threat hunter wrote a PoC. No, he’s not releasing itResearch7 days -| 64](/2025/05/11/cpu_ransomware_rapid7/?td=keepreading) [#### Ransomware scum have put a target on the no man’s land between IT and operationsDefenses are weaker, and victims are more likely to pay, SANS warnsCSO5 days -| 16](/2025/05/14/ransomware_targets_middle_systems_sans/?td=keepreading) [#### Harnessing AI for fast, reliable networksHow to build, configure and support efficient, secure networks with help from artificial intelligenceSponsored feature](/2025/04/27/huawei_networking/?td=keepreading) [#### Cyber fiends battering UK retailers now turn to US storesInterview DragonForce-riding ransomware ring also has ‘shiny object syndrome’ so will likely move on to another sector soonCyber-crime3 days -| 5](/2025/05/15/cyber_scum_attacking_uk_retailers/?td=keepreading) [#### Metal maker meltdown: Nucor stops production after cyber-intrusionRansomware or critical infra hit? Top US manufacturer maintains steely silenceCyber-crime4 days -| 11](/2025/05/14/nucor_steel_attack/?td=keepreading) [#### Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq’MarbledDust’ gang has honed the skills it uses to assist AnkaraSecurity5 days -| 3](/2025/05/13/turkish_spies_messaging_app/?td=keepreading) [#### Snowflake CISO on the power of ‘shared destiny’ and ‘yes and’interview Lessons learned from last year’s security snafuCSO3 days -| 3](/2025/05/15/snowflake_ciso_interview/?td=keepreading) [#### Fired US govt workers, Uncle Xi wants you! — to apply for this fake consulting gigPhony LinkedIn recruitment ads? GroundbreakingPublic Sector2 days -| 12](/2025/05/16/attn_fired_us_govt_workers/?td=keepreading) [#### DoorDash scam used fake drivers, phantom deliveries to bilk $2.59MEntire process took less than five minutes, prosecutors sayCyber-crime3 days -| 17](/2025/05/15/exdoordash_driver_scam/?td=keepreading) [#### Ransomware scum and other crims bilked victims out of a ‘staggering’ $16.6B last year, says FBIBiggest threat to America’s critical infrastructure? RansomwareCyber-crime25 days -| 7](/2025/04/24/ransomware_scum_and_other_crims/?td=keepreading) [#### Broadcom employee data stolen by ransomware crooks following hit on payroll providerExclusive Tech giant was in process of dropping payroll biz as it learned of breachCyber-crime2 days -| 1](/2025/05/16/broadcom_employee_data_stolen_by/?td=keepreading)

Related Tags:
Octo Tempest

NAICS: 441 – Motor Vehicle And Parts Dealers

NAICS: 44 – Retail Trade – Auto

Food

Home

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 72 – Accommodation And Food Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 721 – Accommodation

NAICS: 924 – Administration Of Environmental Quality Programs

Associated Indicators:

Threat Intel Solutions

Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us