Kyanite Blue
Incident Analysis

The MGM Resorts Cyberattack: What $100M in Losses Teaches Every iGaming Operator

In September 2023, a teenage hacking group called Scattered Spider called MGM Resorts' IT helpdesk, impersonated an employee, and convinced a technician to reset their MFA credentials. That single phone call led to 10 days of operational disruption, $100 million in losses, slot machines going dark, hotel room keys failing, and a class-action lawsuit. The entry point wasn't a sophisticated exploit. It was a conversation.

The MGM attack entry point: one phone call to an IT helpdesk.

Timeline of the MGM Attack

  • September 8, 2023: Scattered Spider calls MGM IT helpdesk, impersonates employee found on LinkedIn
  • September 8: MFA reset grants attacker access to Okta identity provider
  • September 9: Attackers move laterally using legitimate admin credentials — no malware needed
  • September 10: MGM detects unusual activity, begins system shutdown
  • September 11: MGM goes public — slot machines offline, hotel keys non-functional, reservations system down
  • September 20: MGM fully restores operations — 10 days of disruption
  • Total loss estimate: $100 million (including $84M lost revenue + $17M in one-time costs)

The Three Failures That Made This Possible

  • 1. Helpdesk social engineering: no sufficiently rigorous identity verification before resetting MFA
  • 2. Excessive blast radius: one compromised identity had access to too many critical systems
  • 3. Slow detection: lateral movement using legitimate tools wasn't flagged quickly enough

Which Kyanite Blue Products Address Each Failure

  • Coro's UEBA (User and Entity Behaviour Analytics): detects anomalous access patterns — e.g. an account suddenly accessing systems it never accessed before at 2am
  • BlackFog: blocks the command-and-control communications and data exfiltration that followed initial access
  • Hadrian: identifies over-privileged access points and externally exposed admin interfaces before attackers do
  • Panorays: relevant where the attack vector is a vendor with privileged access (as in many Scattered Spider campaigns)

What Online Casino Operators Should Do Differently

  • Implement strict helpdesk identity verification — callback to known number, manager approval for MFA resets
  • Segment access — no single identity should have access to all critical systems
  • Deploy UEBA to detect lateral movement using legitimate credentials
  • Conduct regular social engineering simulations (vishing tests) against IT staff
  • Have an incident response plan that includes playbooks for identity compromise scenarios

Frequently Asked Questions

Who was responsible for the MGM attack?

The FBI attributed the attack to Scattered Spider (UNC3944), a loosely affiliated group of mostly English-speaking cybercriminals aged 19–22. They used social engineering techniques combined with the ALPHV/BlackCat ransomware-as-a-service.

Did MGM pay the ransom?

MGM refused to pay the ransom demand. Caesars Entertainment, hit in the same campaign weeks later, paid approximately $15 million. Both suffered significant data exfiltration.

Could this attack happen to an online-only casino?

Yes — and the impact would be similar. An online casino's player account management system, payment processing, and back-office operations are all at risk from the same social engineering + lateral movement techniques.

Protect your operation from the next MGM-style attack

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides