A teenage boy suspected of involvement in the Scattered Spider cyber attacks on two major Las Vegas casino operators, Caesars Entertainment and MGM Resorts, has been charged with multiple offences by the US authorities.
The individual, who cannot be named due to his age, surrendered himself to the Clark County Juvenile Detention Centre in Las Vegas on Wednesday 17 September, according to the Las Vegas Metropolitan Police Department.
He has been charged with three counts of obtaining and using personally identifying information (PII) to harm or impersonate, one count of extortion, one count of conspiracy to commit extortion, and one count of unlawful acts regarding computers.
It is understood the county District Attorney is seeking to transfer him to the criminal division which would result in him being tried as an adult.
The social engineering attacks against MGM and Caesars unfolded in quick succession two years ago, in September 2023.
The attacks began with vishing calls targeting IT service desk staffers at the two organisations, both of which were customers of identity and access management (IAM) supplier Okta, which coincidentally hosts its annual Oktane customer event this week at Caesars Forum.
The helpdesk staff were successfully duped into resetting all multifactor authentication (MFA) factors associated with Okta super administrator accounts. The attackers claimed they were able to use these privileges to gain access rights to other services, including MGM’s Microsoft Azure tenant, before pivoting to launch ransomware attacks against ESXi hypervisors.
At MGM Resorts, Scattered Spider’s operatives were able to disable slot machines and hotel room key cards, lock employees out of their systems, and disrupt booking systems. They caused losses of $100m at MGM Resorts alone.
In Ceasars Entertainment’s case, the hackers were able to access the firm’s loyalty programme database and exfiltrate personal data. In an SEC filing at the time, it said it took steps to ensure this data was deleted. This was widely taken to mean it had paid a ransom, although it never confirmed this.
Scattered Spider in court
Five others associated with the rampant Scattered Spider collective are also facing charges in relation to the Las Vegas cyber attacks, including a British national, named as Tyler Robert Buchanan, who was charged last November alongside four American citizens.
Meanwhile, two individuals appeared in court in the UK in relation to a separate Scattered Spider attack last week. Both Owen Flowers, 18, and Thalha Jubair, 19, faced charges relating to an incident that affected Transport for London (TfL) in 2024. They were remanded in custody at a hearing at Westminster Magistrate’s Court on Thursday 18 September.
Jabair additionally faces charges of conspiracy to commit computer fraud, wire fraud, and money laundering in the US, where a New Jersey court last week unsealed a criminal complaint against him accusing him of involvement in at least 120 network intrusions and extortion attempts against 47 unnamed US organisations. The authorities claim that the gang extorted over $115m from US victims.
“No cyber criminal is beyond our reach,” said assistant director Brett Leatherman of the FBI’s Cyber Division. “If you attack American companies or citizens, we will find you, we will expose you, and we will seek justice.
“The FBI continues to deploy every investigative and technical resource available to dismantle criminal cyber networks and hold their members accountable. This means working with trusted international partners like the UK’s National Crime Agency, the West Midlands Police, and the City of London Police, as well as utilising the capabilities of our state and local partners, who are valued members of FBI’s Cyber Task Forces.”
