Scattered Spider strikes again as regulators tighten grip on digital assets

The third week of September (15th – 21st, 2025) was a dramatic reminder that the digital financial landscape is a battleground of constant innovation and escalating threats. From the resurgence of a notorious cybercrime gang to major regulatory moves on digital assets, the period highlighted a continuous cycle of attack and adaptation for financial institutions.

1. Scattered Spider Returns with a Vengeance

Despite claims of disbanding, the cybercrime group Scattered Spider has resurfaced, launching attacks on the financial sector. According to a report from ReliaQuest, the group gained initial access by leveraging Azure AD Self-Service Password Management through social engineering. From there, they moved laterally through VPNs, exploited VMware, and attempted data exfiltration from platforms like Snowflake and AWS. The group’s previous “retirement” appears to have been a calculated move to evade law enforcement.

Bob’s Take: “The return of Scattered Spider is a powerful lesson in assuming persistence from threat actors. Their use of social engineering to gain a foothold, followed by sophisticated lateral movement and a focus on critical cloud infrastructure, is a playbook financial institutions should be preparing for. This isn’t just about patching systems; it’s about tightening controls on administrative privileges and implementing a Zero Trust model that assumes any account, even an executive’s, could be compromised.”

2. The UK and US Forge a Clearer Path for Digital Assets

Regulators in both the UK and US took significant steps to provide clarity on digital assets. In the UK, the Financial Conduct Authority (FCA) released Consultation Paper 25/25 to provide a clear framework for regulated crypto asset activities. This follows the HM Treasury’s plan to bring crypto exchanges and dealers into the regulatory perimeter, setting clear standards for consumer protection and operational resilience. In the US, the Securities and Exchange Commission (SEC) approved new generic listing standards for exchange-traded products (ETPs) that hold spot commodities, including digital assets. This move simplifies the process for bringing digital asset ETPs to market.

Bob’s Analytical Point: “This is a watershed moment for institutional adoption of crypto. The SEC’s approval of generic listing standards signals a major shift from a product-by-product review to a streamlined process. When combined with the FCA’s comprehensive framework, it creates a much more certain regulatory environment. For financial firms, this is the green light they’ve been waiting for to build out their digital asset offerings with greater confidence.”

3. Supply Chain Attacks Continue to Wreak Havoc

The pervasive threat of supply chain attacks was underscored this week by the discovery of a worm-style campaign, dubbed “Shai-Hulud,” that compromised at least 187 npm packages, including one from cybersecurity firm CrowdStrike. The malicious payload propagated by modifying package metadata and injecting a script to exfiltrate credentials. In a separate incident, a Swedish IT services provider, Miljodata, suffered a breach that exposed the personal information of approximately 1.5 million individuals, impacting numerous municipalities and private companies like Volvo and SAS.

Bob’s Take: “These two incidents perfectly illustrate the dual nature of supply chain risk. The ‘Shai-Hulud’ worm shows how vulnerabilities in open-source software can spread exponentially, compromising the very tools used to build a secure network. The Miljodata breach, on the other hand, highlights the risk of third-party vendors, where a single point of failure can compromise millions of customer records. For CISOs, the message is clear: your defense perimeter is no longer just your network; it’s every third-party software and service you rely on.”

4. A New Approach to Payments and Data Privacy

In a significant move for privacy, California’s legislature passed a landmark online privacy bill requiring web browsers to let users auto-opt-out of data tracking and sharing by default. If signed into law, this would compel browsers to offer a one-click mechanism to honor consumer opt-out preferences. Meanwhile, the IMF hailed India’s Unified Payments Interface (UPI) as a global model for digital payments and financial inclusion, noting its open architecture and interoperable design as a key to preventing monopolies and empowering consumers.

Bob’s Analytical Point: “The California privacy bill represents a major win for consumer data rights and will likely influence similar legislation in other jurisdictions. For fintechs and financial institutions, this means a shift in data collection practices is on the horizon. The IMF’s praise for UPI, on the other hand, provides a powerful case study for central banks and governments worldwide. It’s proof that a public, interoperable digital payment infrastructure can be a catalyst for both financial innovation and inclusion, a crucial lesson for countries developing their own instant payment systems.”

5. Financial Downtime Becomes a Coordinated Effort

In an unusual but notable development, three of India’s largest banks, State Bank of India (SBI), HDFC Bank, and Kotak Mahindra Bank announced synchronized scheduled maintenance, temporarily disrupting services like net banking, UPI, and mobile banking. This coordinated downtime, while inconvenient for customers, is a sign of increasing cooperation in the financial sector.

Bob’s Take: “While routine, this type of coordinated maintenance is a sign of a maturing digital financial infrastructure. By planning service interruptions together, banks can minimize the systemic risk of one failure causing a domino effect across the ecosystem. This also sets a precedent for how financial institutions can collaborate on broader issues, such as cybersecurity response and disaster recovery, to enhance the overall resilience of the market.”