FBI alert reveals how Scattered Spider breaches airline networks by tricking help desks and bypassing MFA. Learn the attack flow and key red flags now.
FBI Warns of Scattered Spider’s Expanding Attacks on Airlines Using Social Engineering
The FBI has put the aviation world on notice: Scattered Spider, the same crew that paralyzed casinos last year, is now infiltrating airline networks by fooling help-desk agents into approving […]

Nicco Mendoza

June 30, 2025

The FBI has put the aviation world on notice: Scattered Spider, the same crew that paralyzed casinos last year, is now infiltrating airline networks by fooling help-desk agents into approving fraudulent multi-factor-authentication changes. 

How the intrusions unfold

  • Attackers pose as pilots, contractors, or managed-service staff and phone support desks with urgent requests. 

  • Help-desk staff are convinced to add new phones or tokens, handing the intruders live access to cloud and on-prem systems.

  • With valid credentials the group pivots into Azure Entra ID, Horizon VDI, VPNs, and vCenter, then steals data for extortion or detonates ransomware when cornered. 

Scale of the threat
Google Mandiant and Palo Alto Networks confirm multiple airline and transportation breaches that mirror Scattered Spider tactics, including recent incidents at Hawaiian Airlines and WestJet. 

Inside a recent breach
ReliaQuest describes the gang impersonating a chief financial officer, passing identity checks with real birth date and partial SSN, then battling defenders for global-admin control before wiping firewall rules in a last-ditch scorched-earth move. 

The bottom line
Scattered Spider wins by hijacking moments of human trust, not by brute-forcing code. Strengthen identity checks at the help desk, keep watch for suspicious MFA resets, and move fast when alerts fire. Find breaches, hunt threats, defend the skies.

Get HEROIC Guardian now! Stay ahead of cyber threats with real-time breach monitoring. Guardian scans the dark web to identify when your data has been leaked, providing instant details about the exposure. From compromised passwords to sensitive information, our platform empowers you to act swiftly and mitigate risks before they escalate.

 
All information submitted is Private and Secure. We do not sell or share email addresses. By searching, you agree to HEROIC's Privacy Policy and Terms of Service.

Click here to learn more: https://heroic.com/products/guardian/

 

Get Early Access to the Guardian Platform

HEROIC is close to launching our next-generation platform where you can search, secure, and monitor all of your identities. To be the first in line, simply insert your email and you'll be added to the list

Please correct the marked field(s) below.

Be the first to know when we launch

HEROIC is still under development, but we are well underway. We estimate launching in early 2024. Subscribing lets you know when we launch, and how you can be the first to reserve your HERO's (special currency specific to the platform).

Sign Up for Our Newsletter

Email marketing by Interspire

Scan to sign up

Scan to sign up instantly

24/7 Dark Web Monitoring
Instant Breach Alerts
Secure Data Protection
Your Data is at Risk

Your Personal Information is Exposed

We found your data exposed in multiple breaches. This includes:

  • Email addresses
  • Passwords
  • Phone numbers
  • Financial information
Secure My Information Now

Your information is protected by enterprise-grade security

Your Breach Details

Date:
Severity:
Records Exposed:

Your Exposed Information

Your Risk Level

How This Affects You

Full Breach Details

Premium Insights

Unlock Critical Security Information

Create a free account to access:

  • Full Breach Impact Analysis
  • Identity Theft Risk Score
  • Exposed Credentials Details
  • Personalized Security Recommendations
Create Free Account

Identity Theft Risk Score

Risk Score: 8.7/10 - Critical

Data Exposure Analysis

Passwords Critical
Financial High
Personal Medium
Social High
Security Critical

Breach Timeline Analysis

March 2024 Multiple credentials exposed in recent data breach
January 2024 Password found in dark web marketplace
December 2023 Personal information leaked in major security incident

Security Recommendations

High Priority
Password Security

Critical: Change compromised passwords immediately and enable 2FA on all accounts

Important
Financial Protection

Monitor credit reports and set up fraud alerts with major credit bureaus

Recommended
Identity Protection

Enable advanced identity monitoring and dark web surveillance