Caesars Entertainment Scattered Spider ransom payment (2023)

Scattered Spider impersonated a Caesars employee on a call to a third-party IT support vendor and convinced the vendor to grant Okta credentials, then exfiltrated customer loyalty data including SSNs and driver's licences. Caesars paid roughly $15 million ransom; the FBI later froze a substantial portion of the funds with Chainalysis assistance.

In August 2023, Caesars Entertainment — one of the largest U.S. casino and hospitality operators — was breached by Scattered Spider through a phone call to a third-party IT support vendor. The attackers exfiltrated customer loyalty data including Social Security numbers and driver's licences, and within weeks Caesars paid approximately $15 million in cryptocurrency to keep the data from being published. The case is also a rare counter-example: the FBI, using Chainalysis tooling, froze a substantial portion of the ransom on the blockchain after Caesars paid.

What happened

Scattered Spider's playbook by 2023 was well-rehearsed: identify a third-party IT support vendor with privileged access to the target's identity systems, social-engineer the vendor into resetting credentials or granting access, and ride that access into the customer environment. At Caesars, the attackers impersonated a Caesars employee on a call to the vendor and obtained credentials for Caesars' Okta access-management platform.

By 23 August 2023, they had reached the customer loyalty database — which contained Social Security numbers and driver's licence information for tens of millions of guests. The attackers exfiltrated the data and demanded $30 million. Caesars negotiated and paid approximately $15 million in cryptocurrency to forestall public release.

Caesars disclosed the incident in an SEC filing on 14 September 2023 — making it one of the first U.S. public-company filings to explicitly state that a ransomware payment had been made. (The same Scattered Spider crew hit MGM Resorts at almost exactly the same time; MGM refused to pay and absorbed roughly $100M in operational losses.)

The FBI, in collaboration with Chainalysis, traced the ransom on the blockchain and froze a substantial portion of the funds — a rare publicised counter-example to the usual narrative that crypto ransom payments are unrecoverable.

Impact

Customer loyalty data including SSNs and driver's licences exfiltrated.
~$15 million ransom paid (down from a $30M demand).
First high-profile SEC-filing disclosure of a ransomware payment by a major U.S. casino.
FBI and Chainalysis traced and froze a substantial portion of the paid ransom.

Why it matters

Caesars is the contemporary reference case for two things: social-engineering of third-party IT support as the dominant initial-access vector for high-value targets, and blockchain-recovery as a real (if uncertain) post-payment outcome. The pairing with MGM Resorts — same crew, same week, opposite decisions — gave U.S. boards their cleanest possible side-by-side comparison of pay vs. refuse.

Timeline

August 18, 2023

Scattered Spider impersonates a Caesars employee on a call to a third-party IT support vendor and persuades the vendor to provide login credentials for Caesars' Okta access-management platform.

August 23, 2023

Attackers reach Caesars' customer loyalty database — including Social Security numbers and driver's licence information.

2023-09-mid

Scattered Spider demands $30M; Caesars pays approximately $15M in cryptocurrency to forestall public data release.

September 14, 2023

Caesars discloses the ransomware event in an SEC filing — the first time a major U.S. casino operator publicly confirms a ransomware payment in regulatory disclosure.

2023-09 — 2023-10

The FBI, working with Chainalysis, traces the ransom payment across multiple blockchains and protocols and freezes a substantial portion of the funds.

Sources

courtwatch.newshttps://www.courtwatch.news/p/how-the-fbi-tracked-down-the-15-million-caesars-casino-ransom

cybernews.comhttps://cybernews.com/news/caesars-15m-ransom-sec-breach-report-6t-stolen-data/

cpomagazine.comhttps://www.cpomagazine.com/cyber-security/caesars-entertainment-discloses-cyber-attack-ransom-payment-made-weeks-before-mgm-heist/

chainalysis.comhttps://www.chainalysis.com/blog/chainalysis-fbi-caesars-ransomware-recovery/

s-rminform.comhttps://www.s-rminform.com/cyber-intelligence-briefing/cyber-intelligence-briefing-15-september-2023

Related incidents

RansomwareContainedSeptember 10, 2023

MGM Resorts ransomware (Scattered Spider + ALPHV)

Scattered Spider vished an MGM IT-desk agent, gained Okta admin, and let ALPHV detonate ransomware. Casinos went offline for ten days; the loss to MGM exceeded $100 million.

Victim: MGM Resorts International
Loss: $100.0M

RansomwareContainedApril 21, 2025

Marks & Spencer DragonForce ransomware (Scattered Spider, 2025)

Social-engineering of a third-party service desk gave Scattered Spider a domain administrator, which they used to deploy DragonForce ransomware on M&S's VMware ESXi estate at Easter 2025 — knocking out contactless payments, Click & Collect, and online ordering for over six weeks.

Victim: Marks & Spencer
Loss: $550.0M

RansomwareContainedNovember 9, 2023

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim: ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss: $9.00B

RansomwareContainedOctober 27, 2023

Boeing LockBit ransomware via Citrix Bleed (2023)

LockBit operators exploited the Citrix Bleed vulnerability (CVE-2023-4966) to enter Boeing's parts and distribution business. Boeing did not pay; LockBit leaked roughly 45 GB of data, including Citrix logs, email backups, supplier lists, and 2020 pricing data.

Victim: Boeing — Parts and Distribution business