MGM and Caesars 2023
Two of the largest casino operators in the world were taken down by the same group within a week, both via the help desk and a confident phone call.
In September 2023, MGM Resorts went dark across its Las Vegas properties. Slot machines stopped accepting cards. Hotel keycards stopped working. The website went down. For several days, employees took reservations on paper and keyed in cash transactions by hand.
Ten minutes of social engineering
The intrusion did not require zero-days. The group behind it — a loose, predominantly English-speaking collective tracked as Scattered Spider — identified an MGM IT employee on LinkedIn, called the company's help desk pretending to be that employee, and convinced the agent to reset the employee's credentials. The reset gave the attackers a foothold in Okta from which they pivoted into the wider environment and detonated ALPHV / BlackCat ransomware.
Caesars Entertainment had been hit by the same crew weeks earlier. Caesars chose to pay an estimated fifteen million dollars in ransom and disclosed the incident with comparatively little operational disruption. MGM refused to pay. The cost of MGM's choice, by the company's own subsequent estimate, was over a hundred million dollars in lost revenue and remediation.
A new kind of crew
Scattered Spider was unusual. Its members were largely native English speakers, many of them teenagers and young adults in the US and UK. They combined SIM-swapping, vishing, and Telegram-based coordination with underlying ransomware tooling provided by Russian-speaking partners — a hybrid model that proved unusually effective against Western help desks.
What the chronicle remembers
MGM and Caesars made the casino floor a case study in identity provider risk. Once an Okta admin account was compromised, the technical security of every downstream system became negotiable. Every CISO with an IT help desk spent the following quarter rewriting their identity-verification scripts.