MGM Grand: Ten Minutes to Total Compromise

At approximately 9:00 PM on Sunday, September 10, 2023, a guest at the MGM Grand Las Vegas walked up to the front desk to check in. The desk agent looked at the screen, looked at the guest, and offered an apology that would be repeated thousands of times in the coming days: the system was down.

No digital key. No automated check-in. Some casino bars cash-only. Slot machines displaying error screens across the floor. MGM’s mobile app — used by millions of frequent guests to unlock hotel rooms, make dining reservations, and manage their casino rewards — was not responding.

The largest hotel company in the United States — 23 hotel and casino properties, including the Bellagio, the Aria, Vdara, Mandalay Bay, and New York-New York — had been reduced to pen-and-paper operations.

Somewhere, almost certainly in a Telegram group chat, a collection of young English-speaking criminals was watching the chaos unfold in real time. They had accomplished what years of professional red team assessments had warned was possible with a single phone call — ten minutes of conversation — that gave them the keys to MGM’s entire identity infrastructure.

Threat Actor Profile: Scattered Spider

Designation: Scattered Spider (Microsoft); UNC3944 (Mandiant); Octo Tempest (Microsoft); 0ktapus; Starfraud
Attribution: English-speaking cybercriminals, primarily United States and United Kingdom; no nation-state affiliation assessed
Origin: No fixed geography; operators worked remotely across North America and the UK
Ages at Peak Activity: Approximately 16–24 years old
Primary Mission: Financially motivated cybercrime — data theft, ransomware deployment, SIM swapping, and cryptocurrency extortion
Known Tradecraft: Vishing (helpdesk impersonation), SIM swapping, MFA push fatigue attacks, SMS phishing, Okta identity provider abuse, ALPHV/BlackCat ransomware affiliate operations

Notorious Operations:

• Twilio / 0ktapus (2022): Scattered Spider’s breakthrough campaign. Using a custom SMS phishing kit (“0ktapus”), the group harvested over 9,900 Okta credentials from employees at 130+ companies in a single month — including Cloudflare, Twilio, and DoorDash. The 0ktapus infrastructure exposed the group’s core method: attack the identity provider, everything downstream falls.
• Caesars Entertainment (2023): In the weeks before MGM, Caesars Entertainment was compromised by the same group. Caesars quietly paid approximately $15 million — half the original $30 million demand — to prevent stolen data from being published. The payment was disclosed in an SEC filing three days after the MGM incident became public, to notably muted coverage.
• MGM Resorts International (2023): Ten days of casino-wide disruption, approximately $100 million in losses, and a highly public ransomware deployment that became a case study in why human social engineering is often more powerful than technical exploitation.

Note: By 2024, law enforcement had made substantial progress. Tyler Buchanan, a 22-year-old UK national, was arrested in Palma, Spain, in June 2024. Five US-based Scattered Spider members were indicted by the Department of Justice in November 2023 on charges of wire fraud, conspiracy, and aggravated identity theft. Their ages at the time of the charged conduct ranged from 17 to 25.

The Method: LinkedIn, a Phone Call, and Total Domination

To understand how Scattered Spider compromised MGM, you need to understand what they were actually good at.

They were not elite hackers in the traditional technical sense. They did not discover zero-days or defeat military-grade cryptography. What they did — with an almost uncanny consistency — was social engineering. Specifically, the systematic exploitation of the one security control that cannot be patched: the human being answering the helpdesk phone.

The attack on MGM almost certainly began with open-source intelligence (OSINT). Scattered Spider’s operators scoured LinkedIn and company directories to identify an MGM employee — ideally one in IT or with system access, ideally with enough biographical detail available publicly to sound convincing. Name, job title, rough tenure, maybe a previous employer. Enough to pass a plausibility check.

Then someone picked up the phone.

A Scattered Spider operator called MGM’s IT helpdesk and impersonated the identified employee. The caller stated they were locked out of their account and requested a reset of their multi-factor authentication. They provided the biographical details that made the claim plausible. The helpdesk agent — following the standard procedure that exists in every large organization to help legitimate employees regain access — complied.

The entire interaction reportedly lasted approximately ten minutes.

That ten-minute call gave Scattered Spider authenticated access to MGM’s Okta identity and access management platform — the single pane of glass through which tens of thousands of MGM employees authenticated to dozens of critical internal applications. From Okta, an attacker with sufficient time and skill can provision themselves access to virtually any downstream system.

What followed was methodical. The attackers moved laterally through MGM’s internal environment, escalating privileges and mapping the network infrastructure. At some point — estimates suggest within hours of the initial call — they leveraged access to MGM’s VMware ESXi hypervisors, deployed by ALPHV/BlackCat ransomware affiliates for whom they may have been operating.

MGM’s security team detected anomalous activity on the morning of September 11 and made the decision to shut down affected systems as a containment measure. The ransomware had already been positioned. Whether the shutdown triggered the detonation or the attackers initiated it independently remains unclear, but the result was the same.

Across MGM’s Las Vegas properties, systems began failing in sequence.

The Chaos: Las Vegas Without Infrastructure

Las Vegas runs on technology. The modern mega-resort is a technology company with a hotel attached — thousands of point-of-sale terminals, hundreds of thousands of electronic door locks, reservation platforms, casino floor management systems, parking infrastructure, restaurant operations, and entertainment scheduling. Remove the digital substrate and you have a spectacular, expensive building that doesn’t quite work.

Casino floors were partially operational — physical slot machines still ran, since gaming control systems operate on hardened, isolated networks — but cashless ticketing, digital displays, and rewards redemption failed. Guests could not access their MGM Rewards points. Some ATMs and cash machines were impacted. Kiosks went dark.

Hotel operations reverted to manual. Guests who had booked through MGM’s app or online found digital room keys inoperative. Front desk staff hand-wrote room assignments. Lines stretched through lobbies for hours. The phone lines for reservations rang unanswered.

MGM’s website was intermittently unavailable for days. Online reservations systems were offline. The app that millions of frequent MGM visitors use for contactless check-in and room service disappeared.

The disruption lasted ten days. MGM declared systems substantially restored on September 20, 2023.

The company’s subsequent regulatory filings disclosed that the incident had cost approximately $100 million in direct losses — revenue shortfalls from casino operations, hotel bookings, restaurants, and entertainment. The stock dropped approximately 7% in the days following the incident. Remediation costs added further to the total.

The Contrast: Caesars Paid in Silence

The Caesars Entertainment breach offers the starkest possible comparison.

In the weeks before MGM’s public catastrophe, Caesars Entertainment was compromised by the same group using the same method. Caesars chose a different path. The company agreed to pay approximately $15 million in ransom — reportedly half of the original $30 million demand — to suppress publication of stolen data. The payment was processed quietly. The incident became public only through an SEC filing on September 14, three days after MGM’s chaos was dominating headlines.

Neither outcome was obviously correct. MGM’s refusal to negotiate produced ten days of public chaos that cost an estimated $100 million — more than six times what Caesars paid. Caesars’ payment, by contrast, purchased relative silence, even if it incentivized future attacks.

This is the calculus that ransomware operations are designed to create. The attackers need only one outcome to be financially viable. Every organization that pays makes the next attack more likely. Every organization that refuses to pay endures visible consequences that frighten other potential targets toward payment. Both responses serve the attackers’ long-term interests.

Who Are Scattered Spider?

Scattered Spider was an anomaly in the contemporary threat landscape: a highly effective, English-speaking, Anglo-American group with no assessed nation-state affiliation, operating during Western business hours, communicating in fluent idiomatic English, with members largely based in jurisdictions where they were ultimately arrestable.

Most high-profile ransomware operations run from Russia or other jurisdictions that provide effective legal protection through non-extradition treaties or state tolerance of cybercrime. Scattered Spider’s operators were working from Las Vegas, Los Angeles, North Carolina, and the UK — directly within the reach of the FBI and DOJ.

Their technical methods were not novel. The exploitation of identity providers, abuse of helpdesk processes, and deployment of off-the-shelf ransomware through an affiliate model are documented techniques. What made Scattered Spider distinctive was their social engineering acuity — the fluency with which they impersonated employees, navigated helpdesk processes, and extracted credentials through conversation — and their willingness to apply it at scale against some of the largest and best-funded corporate security programs in the world.

Tyler Buchanan, the UK national arrested in Spain, was 22. The five US nationals indicted in November 2023 ranged from 17 to 25. They managed to compromise dozens of major corporations over roughly two years of active operations — generating an estimated hundreds of millions of dollars in ransom and stolen data — before systematic law enforcement action began reducing the group.

Their story is a proof of concept the security industry had been writing as theory for years: no amount of technical controls protects a system if the process that bypasses those controls can be manipulated through a phone call.

The Legacy: The Human Layer

MGM’s breach had a precise structural cause. The helpdesk process — the override mechanism that exists to restore access to legitimate employees who are genuinely locked out — created a human pathway around the MFA controls protecting Okta. An attacker who could convincingly impersonate an employee didn’t need to crack a password or defeat authentication hardware. They needed to sound believable for ten minutes.

For enterprise security teams, MGM crystallized the need for out-of-band identity verification before any helpdesk-initiated account changes. Callback verification to known numbers on file. In-person verification for privileged access resets. Stepped authentication requirements before any process that can unilaterally restore access to an account. No helpdesk-initiated MFA resets for privileged users without a secondary verification path that the attacker cannot easily intercept.

For Okta, the company found itself appearing repeatedly in Scattered Spider incident reports — not because Okta was technically vulnerable, but because it had become the keystone of enterprise identity architecture. Compromise Okta, and every downstream application is reachable. The reputational pressure of appearing in breach reports across dozens of major companies drove Okta to implement new administrative guardrails, including new restrictions on how administrators can modify MFA settings and improved anomaly detection.

For the ransomware ecosystem, ALPHV/BlackCat’s public claims of responsibility during the MGM incident — and their subsequent posting of statements accusing MGM of not negotiating in good faith — represented a new level of public theater in ransomware operations. ALPHV posted blog entries addressed directly to MGM. The spectacle was unprecedented. Several months later, ALPHV executed an exit scam, seizing the $22 million Change Healthcare ransom from their own affiliate and disappearing — a reminder that trust is as scarce between ransomware operators and their affiliates as between operators and victims.

For the gaming and hospitality industry, MGM’s ten days made visible exactly how deeply digital infrastructure is woven into the modern resort’s operations. The slot machines still spun. The neon still glowed. But the casino that cannot check guests in, cannot process cashless transactions reliably, and cannot access its reservation system is operating in a state that is visibly, uncomfortably degraded.

The wire that Scattered Spider touched in that Las Vegas IT helpdesk in September 2023 ran from a phone call through an identity provider through a hypervisor infrastructure to 23 hotels and casinos and hundreds of thousands of guests. Ten minutes. One human decision at the other end of the call. That was the entire attack surface.

---

Attack Chain: MGM Grand — Scattered Spider / ALPHV

graph TD
    A["🕷️ Scattered Spider\n(UNC3944 / Octo Tempest)\nEnglish-speaking, US/UK-based\nAges 16–24; ALPHV affiliate"] --> B["Target Selection\nMGM Resorts International\n23 properties including\nBellagio, Aria, Mandalay Bay"]

    B --> C["OSINT Reconnaissance\nLinkedIn profile mining\nIdentify MGM IT employee\nHarvest name, job title,\nbiographical details"]

    C --> D["📞 Vishing Attack\n~10-Minute Phone Call\nImpersonate target employee\nContact MGM IT Helpdesk\n'I'm locked out of my account'"]

    D --> E{"Helpdesk Verification\nProcess"}
    E -->|"Biographical details\n— convincing enough"| F["MFA Reset Authorized\nOkta Account Unlocked\nNo Out-of-Band Verification\nHelpdesk Complied"]
    E -->|"Would have detected:\nCallback to known number\nIn-person verification"| Z["✅ Attack Prevented"]

    F --> G["🔓 Full Okta SSO Access\nMGM's Identity Provider\nAuthentication gateway\nto all downstream apps"]

    G --> H["Internal Reconnaissance\nPrivilege Escalation\nNetwork Mapping\nVMware ESXi Targeting"]

    H --> I["ALPHV/BlackCat\nRansomware Payload\nStaged Across\nMGM Infrastructure"]

    I --> J["MGM Detects Intrusion\nSystems Shutdown Ordered\nSept 11, 2023 — Morning"]

    J --> K["Ransomware Deploys\nAcross Multiple Properties\nSystematic Encryption"]

    K --> L["🎰 Casino Floor\nCashless systems fail\nRewards system down\nKiosks dark"]
    K --> M["🏨 Hotel Operations\nDigital keys fail\nManual check-in\nLines for hours"]
    K --> N["📱 App & Web Dark\nWebsite intermittent\nReservations offline"]

    L --> O["10 Days of Disruption\nSept 11–20, 2023"]
    M --> O
    N --> O

    O --> P["💸 ~$100M Losses\nRevenue + Remediation\nStock drops ~7%"]

    K --> Q["ALPHV Posts Public\nStatements Claiming Credit\n'MGM not negotiating\nin good faith'"]

    P --> R["MGM Refuses to Pay\nRestores from Backups\nSept 20: Substantially Restored"]

    O --> S["Concurrent: Caesars Entertainment\nSame group, same period\nPaid ~$15M quietly\n(Disclosed Sept 14 SEC filing)"]

    P --> T["🚔 Law Enforcement"]
    T --> T1["DOJ Indicts 5 Members\nNov 2023\nAges 17–25"]
    T --> T2["Tyler Buchanan\nArrested Palma, Spain\nJune 2024 (age 22)"]

    R --> U["Structural Lessons"]
    U --> U1["Helpdesk Verification:\nOut-of-Band Callback Required\nPrivileged Account MFA Reset\nRequires Secondary Auth"]
    U --> U2["Identity as Attack Surface:\nOkta Admin Guardrails\nImproved Anomaly Detection"]
    U --> U3["Human Layer Cannot\nBe Patched — Only Trained\nand Process-Hardened"]