Feds are hunting teenage hacking groups like ‘Scattered Spider’ who have targeted $1 trillion worth of the Fortune 500 since 2022
The job posts don’t immediately raise alarms, even though they’re clearly not for tutoring or babysitting.
“Female candidates are a PRIORITY, even if you aren’t from US, if you do not have a clear accent please feel free to inquire,” a public Telegram channel post on Dec. 15 stated. “INEXPERIENCED people are OKAY, we can train you from scratch but we expect you to absorb information and take in what you are learning.” Those who are interested are expected to be available from 12 pm EST to 6 pm EST on weekdays and will earn $300 per “successful call,” paid in crypto.
Of course, the ad isn’t for a legitimate job at all. It’s a recruiting post to join a criminal underground organization, where the job is undertaking ransomware attacks against big corporations. And the ‘gig’ workers being recruited are largely kids in middle and high schools. The enterprise is called The Com, short for “The Community,” and it includes about 1,000 people involved in numerous ephemeral associations and business partnerships, including those known as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and other iterations. Associations change and reframe frequently in what expert researcher Allison Nixon calls “a huge spaghetti soup.” Since 2022, the pipeline has successfully infiltrated U.S. and UK companies with a collective market cap valuation of more than $1 trillion with data breaches, theft, account compromise, phishing, and extortion campaigns. Some 120 companies have been targeted, including brands such as Chick-fil-A, Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, and Vodafone, according to research from cyber intelligence firm Silent Push and court records.
What makes The Com and these groups uniquely dangerous is both their sophistication, and in how they weaponize the youth of their own members. Their tactics exploit teenagers’ greatest strengths, including their technical savvy, cleverness, and ease as native English speakers. But their blindness to consequences, and habit of having conversations in public leaves them vulnerable to law enforcement. Starting in 2024, a series of high-profile arrests and indictments of young men and teenagers ranging in age from 18 to 25 has exposed the significant risk of getting involved in The Com. In August, a 20-year-old in Florida was sentenced to a decade in federal prison and ordered to pay restitution of $13 million for his role in multiple attacks. Unnamed juveniles have also been listed as co-conspirators, and the ages that some are alleged to have begun offending are as young as 13 or 14, according to law enforcement.
Zach Edwards, senior threat researcher at Silent Push, said the structure is a classic one, in which young people do most of the dangerous grunt work in a criminal organization. “The people that are conducting the attacks are at dramatically more risk,” said Edwards. “These kids are just throwing themselves to the slaughter.”
Edwards said the group even tends to slow down during the holidays “because they’re opening presents from Mom under the Christmas tree,” he said. “They’re, you know, 15-year-olds opening stockings.”
And usually parents only find out their kids are involved when the FBI knocks on the door, noted Cynthia Kaiser, former deputy assistant director of the FBI’s cyber division.
“When they’re at a federal felony level is when the parents know because that’s when the FBI comes into play,” she said. Cybercrime lacks all the natural “offramps” that exist with other types of juvenile offenses, explained Kaiser. If a kid defaces a school gym with spray paint, they’re usually caught by a security guard or teacher and they get in trouble. It’s a warning sign for further intervention that doesn’t exist in the online spaces kids frequent.
“It allows these kids to get to the point where they’re conducting federal crimes that no one’s ever talked to them about,” said Kaiser. She often saw “loving parents, involved parents, kids who really did have a lot of advantages, but they just kind of got swept up into this, which I think is easy to do.”
Learning from LinkedIn and Slack
Silent Push, which has tracked Scattered Spider and other groups for years, found that since March 2025, the group has pivoted back to social engineering as the backbone to its ransomware operations, a feat it is incredibly skilled at pulling off. The group allegedly steals employee lists and job titles by compromising HR software platforms and conducting extensive reconnaissance on LinkedIn, said Nixon. With a full roster in hand, the group will call employees directly, pretending to be a new hire with innocuous-seeming questions about platforms, cloud access, and other tech infrastructure. They’ve also been known to read internal Slack message boards to pick up on corporate lingo and acronyms and to find out who to target for permissions to systems. Edwards said the group leans hard on A/B testing to determine which types of calls are most successful and then doesn’t stray far from that path.
Charles Carmakal, chief technology officer of Google Cloud’s Mandiant Consulting, said group members also learn from each other as they work through more intrusions and they share their insights in chat rooms. They often abuse legitimate software in a way that gets them to their ultimate objective without having to create malware or malicious software, he said.
“They’re resourceful,” said Carmakal. “They read the blogs, they understand what the red teams are finding, what the blue teams are finding, what other adversaries are doing, and they’ll replicate some of those techniques as well. They’re smart folks.”
Nixon has seen phishing lures in which attackers claim to be running an internal HR investigation into something a person allegedly said that was racist or another type of complaint. “They’re really upsetting false accusations, so the employee is going to be quite upset, quite motivated to shut this down,” said Nixon. “If they can get the employee emotional, they’ve got them on the hook.”
Once the employee gets rattled, the attackers will direct them to a fake helpdesk or HR website to input their login credentials. In more sophisticated companies that use multi-factor authentication or physical security keys, the attackers use the company’s remote software like AnyDesk or TeamViewer to eventually get inside internal networks. “They are very savvy as to how these companies defend themselves and authenticate their own employee users, and they’ve developed these techniques over a long period of time,” said Nixon.
Plus, Scattered Spider has picked up on a key asymmetry in authentication, said Sherri Davidoff, founder of LMG Security. When help desks call employees, they rarely have to identify themselves or prove they work for a company. Whereas when employees contact help desks, they have to verify who they are.
“Many organizations, either intentionally or unintentionally, condition their staff to comply with help desk requests,” said Davidoff. “[Threat actors] will then mimic the urgency, they’ll mimic any stress, and they’ll mimic the sense of authority that these callers have.”
Kids Today
One of Scattered Spider’s signatures is that the group is incredibly chaotic, noted Greg Linares, a former hacker who is now a cybersecurity researcher at Eeye Digital Security. Unlike more established ransomware operators, Scattered Spider members communicate directly with victims’ C-level executives without formal negotiators. “They don’t have a professional person in the middle, so it’s just them being young adults and having fun,” said Linares. “That unpredictability among the group makes them charismatic and dangerous at the same time.”
The Scattered Spider attacks have featured brazen and audacious behaviors, like renaming the CEO to something profane in the company email address book, or calling customers directly and demanding ransom payments—general troll behavior “for the lols,” said Edwards. Serious criminal actors involved in ransomware money-making schemes, usually working for nation states like Russia or North Korea, use Signal or encrypted services, he added. The younger Scattered Spider members often create new channels on Telegram and Discord if they get banned and announce the new channel and make it public again.
Experienced criminals “don’t run out there and create another Telegram, like, ‘Come on, everybody, back in the pool, the water’s fine,’” said Edwards. “It is absolutely what kids do.”
CrowdStrike senior vice president of counter adversary Adam Meyers told Fortune these techniques have been honed after years of escalating pranks in video game spaces. Kids will start by stealing items or destroying other kids’ worlds in video games like Minecraft, mostly to troll and bully each other, said Meyers. From there, they progress to conducting identity takeovers, usually because they want account names that have been claimed by users long ago, said Meyers. The account takeovers then evolve into targeting crypto holders.
“Many of these teen offenders have been recruited and groomed from gaming sites, first with the offer of teaching then how to acquire in-game currency, and moving on to targeting girls for sextortion,” said Katie Moussouris, founder of startup Luta Security. “From there, they are encouraged to shift to other hacking crimes. There’s a well-established criminal pipeline that grooms young offenders to avoid adult prosecutions.”
A complaint unsealed in September in New Jersey alleged that UK teenager, Thalha Jubair, 19, was part of Scattered Spider starting from when he was 15 or 16. Jubair is facing a maximum of 95 years in prison in a scheme that U.S. authorities allege infiltrated 47 unnamed companies including airlines, manufacturers, retailers, tech, and financial services firms, and raked in more than $115 million in ransom payments.
Owen Flowers, 18, was charged along with Jubair in the UK, according to the UK’s National Crime Agency. Both are accused in attacks on Transport for London and for allegedly conspiring to damage two U.S. healthcare companies. Flowers and Jubair have pleaded not guilty and a trial is set for next year.
Those charges came after another alleged Scattered Spider ringleader, Noah Michael Urban, 20, pleaded guilty to wire fraud, identity theft, and conspiracy charges and was sentenced to 10 years in federal prison in August. He was ordered to pay $13 million in restitution.
Four others, all under the age of 25, were charged alongside Urban in 2024 for allegedly being part of Scattered Spider’s cyber intrusion and crypto theft scheme, including an unnamed minor. In another alleged Scattered Spider attack, at least one unnamed juvenile turned himself in to police in Las Vegas for taking part in attacks on gaming companies in Las Vegas, according to police.
‘Female candidates are a PRIORITY’
The field of cybercrime is almost exclusively dominated by male actors, but Scattered Spider has effectively recruited teenage and young adult women who have become a strategic asset. Nixon of Unit 221B said the number of girls in The Com is “exploding.”
Arda Büyükkaya, a senior threat intelligence analyst at EclecticIQ based in the EU, said he’s also found that some callers are using AI systems that will alter their voices to mimic a regional accent or other features, such as a woman “with a neutral tone” who offers pleasantries, such as “take your time,” that also downplay suspicions.
Social engineering is rife with gender presumptions, said Karl Sigler, senior security manager at Trustwave SpiderLabs. Men tend to lean on their positions of authority as a senior executive or even a CFO or CEO, while women take the tactic of being in distress.
“Women tend to be more successful at social engineering because, frankly, we’re underestimated,” said Moussouris of Luta Security. “This holds true whether trying to talk our way in by voice or in person. Women aren’t viewed as a threat by most and we’ve seen this play out in testing organizations where women may succeed in getting in and men don’t.”
In Nixon’s observation, The Com finds young women are useful “for social engineering purposes, and they’re also useful to them for just straight-up sexual purposes.” Some of the girls respond to ads in gaming spaces that specify “girls only” and others are victims of online sexual violence, said Nixon.
“The people running these groups are still almost all male, and very sexist,” said Nixon. “The girls might be doing the low-level work, but they’re not going to be taught anything more than the bare minimum that they need to know. Knowledge is power in these groups, and mentorship is not given to girls.”
Many involved seem to be seeking money, notoriety among the group, a sense of belonging, and the rush and thrill of a successful attack, experts said.
Linares, who is known as the youngest ever hacker arrested in Arizona at age 14, said the hacking community he joined as a teen became closer to him than his actual family members at the time. If he were born in this era, Linares said he “absolutely” could see himself alerted to this type of crime and the money-making potential. Since sharing his story on a podcast over this summer, he’s heard from kids who are involved in cyber crime and he urges them to participate in legal bug bounty programs. Many have told him they are also autistic—a diagnosis Linares himself didn’t get until he was well in his 30s.
“A lot of these kids come from broken households, alcoholic parents, and they’re on the path of doing drugs as well,” said Linares. “Life is hard and they’re just looking for a way through.”
However, there is more to the picture. Marcus Hutchins, a cybersecurity researcher who famously stopped the global WannaCry ransomware attack and who previously faced federal charges related to malware he created as a teenager, said he’s learned that a lot of kids involved come from stable backgrounds with supportive parental figures.
“A lot of these are privileged kids who come from loving families and they still somehow end up doing this,” Hutchins said. “How does someone who has everything going for them decide that they’re going to go after a company that is just absolutely going to insist that they go to jail?”
According to Kaiser, who after leaving the FBI joined cybersecurity firm Halcyon, the complexity lies in that the crimes are happening online and in secret. And in the grand tradition of parents not understanding kids’ slang, parents often find messages incomprehensible, which isn’t unusual, noted Nixon.
Despite the natural tendency to underestimate kids’ abilities or always see the best in them as parents, Kaiser said parents have to protect kids—and it might mean getting uncomfortable about monitoring their online behavior. Even with her background as a top FBI cyber official, Kaiser said she still struggles as a parent.
“I was the deputy director of the FBI’s Cyber Division, and I still don’t think I know how to fully secure my kids’ devices,” she said. “If my kid was acting foolish on the street, I’ll get a text. We’re not getting those alerts as parents, and that makes it really hard.”
Fortune contacted all the companies named in this article for comment. Some declined to comment and some could not comment directly due to ongoing investigations. Others noted their commitment to strong cybersecurity and that they had quickly neutralized threats to their systems.
This story was originally featured on Fortune.com