Scattered Spider Guilty Pleas Show the Cost of Help Desk Abuse
KrebsOnSecurity reported that two Scattered Spider members pleaded guilty in the UK over the Transport for London attack, with U.S. allegations tying the group to major intrusions and ransom payments.

On June 23, 2026, KrebsOnSecurity reported that two men pleaded guilty in the United Kingdom to charges connected to the August 2024 cyberattack on Transport for London. Krebs identified them as key members of Scattered Spider, a group known for social engineering, SIM swapping, SMS phishing, help desk manipulation, and cloud account abuse.
This story deserves its own post because Scattered Spider is a case study in how human process failures can produce enterprise-scale impact.
Why this matters
Krebs reported that U.S. prosecutors previously alleged Scattered Spider members were linked to 120 network intrusions involving 47 U.S. entities and at least $115 million in ransom payments. The group has been associated with attacks where identity systems, telecommunications workflows, and support processes were used as paths into organizations.
The lesson is that mature attackers do not always need a zero-day. Sometimes they need a phone call, an SMS lure, a SIM swap, or a support agent under pressure.
Krebs also reported that one defendant was tied to Star Fraud Chat, a Telegram-based SIM-swapping service that allegedly used voice and SMS phishing to steal employee credentials at major wireless providers. Once attackers gained carrier-tool access, they could redirect a target's phone number to a device they controlled and intercept calls and text messages, including one-time codes.
That detail is critical because it explains why SMS-based recovery is so risky for executives, administrators, and public-facing employees. If a phone number can be moved, then any security process that trusts that number can be moved too.
The Transport for London lesson
The TfL case also shows that cyber incidents can become public safety and continuity events. Krebs reported that the guilty pleas involved causing risk of serious damage to human welfare, not merely unauthorized access. Public transport, healthcare, telecoms, and financial services all depend on identity workflows that can be targeted through social engineering.
Scattered Spider-style attacks are therefore not only a SOC problem. They are an operations problem. The help desk, telecom admin team, HR onboarding, executive support, and identity engineering team all sit inside the threat model.
What organizations should do
- Harden password reset and MFA reset workflows.
- Require out-of-band verification for privileged support requests.
- Remove SMS-based recovery from administrator accounts.
- Monitor for repeated MFA prompts, new device enrollment, and unusual identity recovery events.
- Train help desk staff on Scattered Spider-style pressure tactics.
- Review telecom account protections for executives and privileged users.
The takeaway
Scattered Spider proves that identity recovery is part of the attack surface. A secure login flow can still fail if recovery workflows are easy to manipulate.