Social Engineeringcritical

Scattered Spider vs MGM Resorts: No-Code Social Engineering Takes Down Vegas

A 10-minute LinkedIn search and one phone call to the MGM helpdesk was all Scattered Spider needed to begin an attack that disrupted MGM's slot machines, hotel check-ins, and digital room keys across Las Vegas for 10 days.

MGM Resorts International·2023·2 min read

Attack Chain

  1. 1
    Phishing email sent
  2. 2
    Credentials captured
  3. 3
    MFA fatigue attack
  4. 4
    VPN / remote access gained
  5. 5
    Lateral movement
  6. 6
    Data exfiltration
  7. 7
    Ransom demand

Background

MGM Resorts International operates 31 hotels and casinos with revenues of $14 billion. One week before the Caesars attack was disclosed, MGM suffered an attack by the same group — but MGM refused to pay, and paid a far higher operational price.

The Attack

Scattered Spider found an MGM IT employee on LinkedIn. They called the MGM helpdesk, provided the employee's name and some basic details, and successfully convinced the operator to reset MFA credentials. With valid credentials, they gained access and deployed ALPHV/BlackCat ransomware. Slot machines stopped working. Hotel check-in systems went offline. Digital room keys became inoperable. Casino floor cash registers failed. The company's reservation system was inaccessible.

Response

MGM refused to pay the ransom. They worked with Microsoft, Crowdstrike, and the FBI to contain and rebuild. Full restoration took approximately 10 days. MGM was subsequently transparent about the attack in public statements.

Outcome

MGM estimated the attack cost $100 million in revenue impact plus tens of millions in remediation. The contrast with Caesars — which paid $15 million and avoided disruption — illustrates that both outcomes have significant costs. MGM's refusal to pay was widely praised by law enforcement.

Key Takeaways

  1. IT helpdesks are the most targeted social engineering surface in large enterprises — identity verification must be rigorous
  2. A LinkedIn search provides enough personal information to pass many helpdesk verification processes
  3. Refusing to pay ransomware is ethically correct and supported by law enforcement — but requires robust backup infrastructure
  4. Casino and hospitality operational technology is deeply integrated with IT, amplifying ransomware disruption
Scattered SpiderALPHVhelpdesk vishingcasinoLinkedIn OSINT

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2023critical

MGM Resorts Social Engineering Attack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering