Proof

Turning Account Recovery Into a Seven-Figure Business

In 2023, the threat group Scattered Spider used social engineering tactics like impersonating IT staff and voice phishing to infiltrate major casino operators MGM Resorts and Caesars Entertainment, causing hundreds of millions in damages, and since then, similar groups Cordial Spider and Snarky Spider have adopted this identity-focused attack playbook—targeting various industries through phone-based phishing to steal credentials and MFA tokens in real time, enabling rapid data exfiltration and extortion demands reaching seven figures.

In 2023, a threat group called Scattered Spider dismantled two of the largest casino operations in the world. Their attacks on MGM Resorts and Caesars Entertainment relied entirely on social engineering: calling employees, impersonating IT staff, and infiltrating identity systems to gain access to critical infrastructure. The financial damage reached hundreds of millions of dollars, demonstrating the power of identity-focused attackers against large enterprises.

Since then, this playbook has become a template for other threat actors. CrowdStrike recently reported on two new groups, Cordial Spider and Snarky Spider, who have been running data theft and extortion campaigns against US organizations since at least October 2025. Both operate within The Com, the same loosely organized online criminal community that produced Scattered Spider, and both use similar tactics: voice phishing, fake login pages, and rapid movement through SaaS environments once inside. While they differ in tools, operating hours, and infrastructure, the core exploit remains the same.

According to Unit 42, the extortion demands from these groups typically reach seven figures. Their targets span financial services, retail, hospitality, legal, aviation, technology, and academia. The entry point for all of them is a phone call to someone inside the organization.

The attack, step by step

The attack method is straightforward, which makes it effective. Attackers contact employees via voice calls, text messages, or emails, directing them to phishing pages that mimic their employer's single sign-on portal or identity provider. When an employee enters their credentials, attackers capture MFA tokens in real time using adversary-in-the-middle techniques, gaining a valid session and a path forward.

Once inside, the groups move quickly. Snarky Spider has been observed beginning data exfiltration in under an hour. Their immediate priority is persistence: removing the legitimate MFA device from the compromised account, enrolling a new one under attacker control, and deleting warning alerts that would otherwise notify the organization. With persistence established, attackers traverse the victim's SaaS environment, extracting data to maximize leverage for extortion.

Organizations that refuse to pay face public data leaks, resale to other threat groups, and DDoS attacks. Snarky Spider has escalated coercion by swatting—sending law enforcement to employees' homes under false pretenses.

The gap these groups are designed to find

This attack chain is possible because many organizations treat a valid credential as sufficient proof of identity during high-stakes account changes. If removing a trusted MFA device or enrolling a new one requires only a captured session token, the identity layer meant to protect these moments is absent. This is the gap Cordial and Snarky Spider exploit.

The key distinction is between authentication and identity verification. Authentication confirms knowledge of a password or possession of a token. Identity verification confirms that the person requesting access is truly who they claim to be. Organizations that conflate these two are vulnerable to these attacks, and the rise in vishing suggests this exposure is growing.

According to Mandiant's M-Trends 2026 report, voice phishing became the second-most common initial infection vector in 2025, appearing in 11% of incident response investigations. In cloud environments, it was the most common initial access method, accounting for 23% of cloud intrusions, while traditional email phishing dropped to 6%.

Attackers have realized that social engineering over the phone is easier than bypassing technical controls, shifting their investment in offensive tradecraft accordingly.

What a real identity control looks like at these moments

Closing this gap requires intervention at the point where attacks pivot from credential theft to account control: when someone requests an MFA device change, account recovery, or executes a high-stakes workflow.

If that moment requires verified identity—such as a government-issued ID and a real-time biometric match confirmed to be live and untampered—a stolen session token alone is insufficient.

This is the control layer Proof is designed to deliver. By requiring verified, human identity at the riskiest workflow moments and creating a tamper-evident record of who authorized each action and when, Proof closes the gap between authentication and verification that groups like Cordial and Snarky Spider exploit.

These groups are running Scattered Spider's playbook at scale, and it continues to succeed because many organizations still treat credential possession as identity confirmation during critical moments.

Organizations relying solely on authentication to protect sensitive account workflows are exposed to the same vulnerabilities these groups target.

On May 26, Proof is hosting a live session on this problem, covering how to:

  • Replace vulnerable knowledge-based questions with cryptographically secure identity proofing
  • Stop social engineering at the help desk
  • Build an auditable trail of every access grant, making verified identity the standard for account recovery requests

If you'd like to discuss where account recovery fits into your security posture, you can book time with the Proof team.