Hoplon InfoSec
19 Jun, 2025
Imagine entering a casino, filled with confidence and excitement, only to find every slot machine inoperable. That’s exactly what happened to two of the biggest names in Vegas: Caesars and MGM. Early in September 2023, hackers launched a devastating attack,disabling slot machines, reservation systems, and even room key access. For a place built on trust and entertainment, it was digital carnage. Crime was operating behind the scenes, locking out millions of guests.
1. Initial Breach (Social Engineering & Vishing)
The first entry point in both Caesars’ and MGM’s cases was human error specifically through social engineering tactics. For Caesars, the hackers began by targeting a third-party IT vendor. They posed as internal staff members over a phone call, using a tactic known as “vishing” (voice phishing). The caller convinced the vendor’s employee to reset login credentials, essentially unlocking the front door for the attackers. In MGM’s case, members of a hacking group called Scattered Spider (also known as UNC3944) took a slightly different route. They scraped employee identities from LinkedIn, then impersonated staff while calling MGM’s help desk. Again, vishing was used to manipulate the support team into resetting multi-factor authentication (MFA) access. This initial breach was quiet but crucial giving the attackers their first foothold inside highly secure systems.
2. Access Escalation & Backdoor Implantation
Once the attackers obtained credentials, they moved deeper into the corporate infrastructure. Using the compromised login details, they infiltrated identity management systems like Okta and Azure Active Directory platforms that controlled who could access what within the organisation. Gaining global admin privileges allowed them to navigate freely inside sensitive systems. At this stage, they began planting backdoors and advanced hacker tools such as Cobalt Strike and memory scrapers. These tools enabled the attackers to conduct silent reconnaissance, map out the internal network architecture, and maintain persistent access. Often overlooked until it’s too late, this step lays the groundwork for a full-scale ransomware operation.
3. Data Exfiltration
Before launching their ransomware payload, the attackers spent time quietly stealing data. In cybersecurity, this technique is called exfiltration where sensitive files are copied and sent out of the network without triggering alarms. Reports estimate that up to 6 terabytes of data were syphoned from MGM’s servers, including customer credentials, internal documents, and operational records. In Caesars’ breach, the stakes were even more personal the attackers accessed Social Security numbers and driver’s license details of loyalty program members. These types of data not only violate privacy but can also be sold on the dark web or used in future identity theft campaigns. The theft of data had a dual impact, enhancing the hackers’ leverage during ransom negotiations.
4. Ransomware Deployment (ALPHV/BlackCat)
With credentials stolen, networks mapped, and data extracted, the final strike was the deployment of ransomware. The group ALPHV, also known as BlackCat is a major ransomware-as-a-service syndicate launched malware that encrypted critical infrastructure. This included ESXi servers (used to run multiple virtual systems), reservation platforms, casino slot machines, and customer-facing apps. Caesars chose to negotiate and paid an estimated $15 million in ransom to regain control of their systems and prevent further leaks. MGM, on the other hand, refused to pay. Instead, it worked with federal law enforcement to recover internally. This decision resulted in massive operational disruptions: system outages across its properties, customer check-in chaos, and slot machines frozen for up to 10 days. MGM ultimately reported a financial loss of approximately $80 million related to the attack.
Let me reveal the true mastermind behind the MGM and Caesars ransomware attacks it was not a single group operating independently.
The first team was a group of young, highly skilled hackers called Scattered Spider. Also known as UNC3944, this group consists mostly of native English speakers, and many members are believed to be based in the U.S. or U.K. Unlike the usual image of international cybercrime gangs, these guys didn’t hide in the shadows of some foreign basement. They operated boldly, even flaunting their skills in underground forums. Their specialityy? Social engineering. They didn’t brute-force systems they talked their way in. They scraped employee details from LinkedIn, posed as staff, and manipulated help desks over the phone to reset passwords and multi-factor authentication. That’s how they got the keys.
Now here’s where it gets darker. Once Scattered Spider had access, they didn’t launch ransomware themselves. They partnered with one of the most dangerous ransomware syndicates in the world ALPHV, also known as BlackCat. This group runs ransomware-as-a-service. They build the payloads, control the negotiations, and take a cut from the ransom. ALPHV is feared for a reason. They use cutting-edge code, target big-game victims, and have a reputation for brutal pressure tactics like threatening to leak stolen data publicly.
Together, the unlikely alliance of Scattered Spider, known for their slick social skills, and ALPHV, known for their powerful ransomware, created a formidable force. One group opened the doors; the other lit the fire. That’s what made the attack so devastating. It wasn’t random. It was a coordinated assault by professionals who knew exactly what they were doing.
How the They are Hacked or The Attacks Succeeded
Let me tell you how they pulled it off and why it worked so well. This wasn’t just about fancy tools or genius-level hacking. No. It was about knowing where people and systems are most vulnerable and then striking when no one was looking.
First off, the whole thing started with weak help desk protocols. Most companies, even massive ones like MGM or Caesars, assume their MFA systems are strong enough. But if your help desk is too quick to reset login credentials without triple-checking identity, that security collapses in seconds. That’s exactly what happened. Hackers used simple voice calls, impersonated real employees, and tricked staff into giving them the keys. And it worked fast.
Then came the next problem: network segmentation or really, the lack of it. Once inside, the attackers didn’t just stop at the front desk. They moved laterally through the entire digital infrastructure. The experience was akin to traversing through an unlocked building. They touched everything: guest databases, slot machines, payment systems.
Even worse, nobody noticed. That’s what hurts most. For days, maybe longer, these attackers were inside undetected. No alerts. There were no raised eyebrows. No sirens. If someone had spotted unusual logins or unexpected file transfers, the damage could have been contained.
And when the company finally reacted, it was too late. Incident response was slow. The company failed to quickly isolate the systems. Law enforcement intervened only after the attackers had already delivered their devastating blow. By that point, the ransom had been released, and the entire world was observing. That’s the worst kind of loss public failure.
These attacks weren’t just about tech. They were about trust, reputation, and the cost of waiting too long to take cybersecurity seriously. In a world where everything is connected, remaining silent and delaying action are as dangerous as the hackers themselves.
Financial, Social & Political Fallout
Allow me to guide you through the actual events that transpired once the crisis was resolved. The ransomware attack didn’t end abruptly. The damage only began there.
First, Caesars quietly paid the ransom about $15 million to ALPHV. They hoped to make the problem disappear, to stop data from leaking, and to regain control quickly. But even after paying, they couldn’t escape the consequences. Sensitive customer data Social Security numbers and driver’s licenses had already been stolen. The public was outraged. Lawsuits started piling up. Regulators began poking into every layer of Caesars’ digital infrastructure. Did they establish trust with their customers? The trust they had built with their customers was shaken, possibly even broken.
Now MGM, on the other hand, took the bold path. They refused to pay. They called in the FBI, brought in digital forensics teams, and tried to fight back. But that decision came at a steep price. The entire casino system from check-in desks to slot machines was shut down for nearly 10 days. What was the monetary damage? Close to $80 million. Guests couldn’t check into rooms, use apps, or even order room service. And then came the legal blowback. Multiple class-action lawsuits accused MGM of failing to protect user data and business continuity. Their CEO later warned that cyber insurance might not be enough next time and that rates were already climbing for everyone.
And then came the headlines. The world was watching. News outlets, tech blogs, and political analysts wereall questioning how billion-dollar resorts could be brought to their knees by a phone call and a fake login. Lawmakers called for stronger cybersecurity laws. Insurers reviewed their policies. And companies across every sector took a hard look at their networks.
It wasn’t just about casinos anymore. It was about how fragile digital trust really is.
🎯 Lessons for You (And Me)
If there’s one key lesson we’ve learnt from the Caesars and MGM attacks, it’s that you don’t need to be a hacker to become a victim. All it takes is one untrained employee. One weak system is all it takes. One missed alert is all it takes. And everything crumbles.
Let me give you a real example. A friend of mine works in IT for a midsize travel company. One day, their help desk got a call from someone claiming to be the CFO. The caller was polite and even joked about how slow the VPN was. The help desk guy new, not trained for this kind of deception reset the password and MFA. Within hours, systems were behaving oddly. Their booking engine was down by morning. Luckily, they caught it early o ransom, no data loss. But it shook everyone. Not because they were hacked but because it was so easy.
Now, if they had done just a few things right, it wouldn’t have happened at all.
Here’s what you whether you’re a company, a worker, or even just a regular internet user should do:
How to Protect Yourself
These aren’t just “IT department” things anymore. They’re life skills in today’s world. Your data, reputation, and peace of mind are as valuable as a casino. Moreover, they pose an equal threat.
Cyberattacks today aren’t just about stolen data. They’re about trust. In the middle of the night, when your screen turns black and your systems fail to respond, it can be a harrowing experience. The situation affects front desk guests who are unable to access their rooms, customers who experience a sudden loss of confidence, and businesses that never fully bounce back.
But here’s the thingfthis isn’t hopeless.
Every person, every company, and every team can take steps today to prepare. You can train your people. You can patch your systems. You can build digital walls and rehearse your defences. You can stop believing “we’re too small to be a target” or “our IT team has it covered”.
Because if there’s one truth that Caesars and MGM have shown us, it’s this: no one is safe by default. But everyone can be safer by choice.
So, whether you run a startup, a school, or just your inbox tay alert. Ask questions. Be cautious with every login, every call, and every click. On the internet, even the slightest error can lead to significant consequences. But if we stay ready, we don’t have to be afraid.
Stay sharp. Stay safe. Keep your systems close, and your cybersecurity closer.
Resources:
Cyber News
Risk Strategies
Share this :