Two cybercriminal groups known for conducting sophisticated network hacking operations globally are key suspects in a major statewide ransomware attack that disrupted Nevada government computer operations earlier this month, according to cybersecurity experts.
The loose network of cybercriminals known variously as Scattered Spider, Lapsus$ and ShinyHunters is said by two specialists to be working together in the attacks on state infrastructure networks while seeking ransom payment from the state in exchange for releasing locked-up information.
Nevada authorities said the cyberattack began Aug. 24 and shut down multiple government operations.
The attack led to the shutdown of the Department of Motor Vehicles branches, gun-purchase background checks, and many state agency websites and phone lines.
The impact left many Nevadans unable to access essential services. Many of the websites are being brought back online.
The best-known group linked by investigators to the operation is Scattered Spider, which was first detected in 2022 and was blamed for cyberattacks in 2023 on the MGM Grand and Caesars Entertainment casinos in Las Vegas.
Las Vegas police announced Friday the arrest earlier that week of a teenager linked to Scattered Spider on charges related to the 2023 casino hacks.
Lapsus$ was subsumed into Scattered Spider, and ShinyHunters is also said to be aligned with Scattered Spider.
One expert said all three groups have been linked to the Nevada cybercriminal attack.
Both Scattered Spider and ShinyHunters are said to include American, European, Russian and Asian hackers, many of them young men and teenagers.
One prominent Russian hacker and a Vietnam-based hacker linked to the Vietnamese intelligence services are said to be guiding younger hackers in Scattered Spiders.
Nevada Gov. Joe Lombardo said Sept. 4 that the hackers exfiltrated state data and described the incident as a crisis.
The hackers did not access state financial information or DMV records or steal any personal data, he said.
He declined to comment on the identity of the hackers, citing concerns that doing so could trigger further attacks.
By Sept. 12, 90% of the systems had been reviewed for malware and were back online.
Asked the motivation behind the incident, Mr. Lombardo said, “Obviously, it’s a ransom … to achieve monetary gain.”
Mr. Lombardo declined to say whether the state paid any ransom.
Josh Meny, press secretary for Mr. Lombardo, said state regulations prohibit discussing details of the ongoing investigation.
A former National Security Agency official, who, like others, spoke on condition of anonymity, said those suspected in the Nevada hack are extremely skilled at both network penetration and gaining millions from holding data ransom.
“These two groups getting together is kind of a nightmare,” the former official said. “They are both very skilled.”
The groups’ operations far exceed the practice known as social engineering – calling network help desks and eliciting valuable login and other information.
“They use every domain and trick in the book, including social engineering and hiring inside people,” the former official said, noting he has conducted counter-hacking work against the groups in the past.
“Every time we denied them, they tried another trick,” the former official said.
Michael Hanna-Butros Meyering, chief communication and policy officer for Mr. Lombardo’s technology office, said as “The investigation remains ongoing, and we continue to coordinate closely with our federal law enforcement and intelligence partners, including the FBI and [Cybersecurity and Infrastructure Security Agency].”
Mr. Hanna-Butros said the state understands the public interest in identifying the culprit. But he said that premature or speculative conclusions risk undermining the integrity of the investigation and operational security.
“We are committed to transparency, but we will not compromise the quality or outcome of active investigative efforts by disclosing unconfirmed or classified information,” Mr. Hanna-Butros said.
One government source said the hackers are demanding $100 million to fully release any internal access or controls.
Mr. Hanna-Butros said those reports have not been validated through any official channel.
“Nevada’s response continues to focus on recovery, hardening critical infrastructure, and protecting the privacy and security of Nevadans,” Mr. Hanna-Butros said.
As more information becomes available and is verified, the state will provide updates on the investigation, he added.
The FBI and CISA stated in a July 25 advisory that Scattered Spider is a cybercriminal group that targets large companies and their contracted information-technology help desks through multiple methods.
The calls and texts are used to gain access, and once inside a network, the hackers install remote access malware.
The group has been detected targeting networks in the United States, Canada, Australia and Britain.
“Per trusted third parties, Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual [tactics, techniques and procedures],” the advisory stated.
Some tactics of the group are familiar, but “Scattered Spider threat actors often change TTPs to remain Undetected,” the advisory noted.
The group is also known by such code names as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra.
![Gavin Newsom Threatens to 'Punch These Sons of B*thces in the Mouth' [WATCH]](https://www.right2024.com/wp-content/uploads/2025/08/Gavin-Newsom-Threatens-to-Punch-These-Sons-of-Bthces-in-350x250.jpg)
![ICE Arrests Illegal Alien Influencer During Her Livestream in Los Angeles: ‘You Bet We Did’ [WATCH]](https://www.right2024.com/wp-content/uploads/2025/08/ICE-Arrests-Illegal-Alien-Influencer-During-Her-Livestream-in-Los-350x250.jpg)
