If your organization still relies on passwords, SMS codes, or authenticator apps to protect employee logins, it’s not a matter of if you’ll be breached—it’s when.
The cybercrime gang Scattered Spider is rapidly evolving into the most dangerous and persistent threat to enterprise security. And this week, new evidence shows they’re not slowing down—in fact, they’re scaling up.
Security researchers at Check Point just uncovered over 500 phishing domains tied to Scattered Spider’s known tactics and naming conventions. These domains aren’t random. They’re built to impersonate major enterprise brands across industries—from tech and aviation to retail, manufacturing, medical, and even restaurant chains.
Examples like:
These aren't clever scams. They’re pixel-perfect fakes designed to trick even seasoned users into entering credentials, MFA codes, or clicking a link that gives attackers the foothold they need. And once they’re in, it’s over.
This is real-time phishing and MFA bypass at industrial scale. And it works—because most organizations are still using legacy MFA that doesn’t validate who’s asking. App prompts, SMS codes, even passkeys can be compromised with simple social engineering or cloud account hijacks.
Scattered Spider, also known as UNC3944, has been active since 2022. Their weapon of choice isn’t advanced zero-days. It’s human psychology.
They trick help desks into issuing credential resets.
They spoof MFA prompts that users blindly approve.
They call employees, impersonate IT, and walk them through their own compromise.
They’ve hit:
They use tools like TeamViewer, Fleetdeck.io, and BlackCat ransomware-as-a-service to lock systems and exfiltrate data. And they typically enter through phishing—on fake domains—backed by convincing social engineering.
Which leads to the obvious question:
Why are we still trusting users to be the firewall?
Traditional MFA—SMS codes, push notifications, TOTP apps—was never designed to stop this kind of attack. These methods rely on user action, which can be intercepted, spoofed, or socially engineered. Even passkeys, while stronger, often rely on cloud-syncing and can be compromised through account hijack or device theft.
The problem? These tools trust the environment and the user too much. And when you combine that trust with a high-volume phishing campaign and a socially engineered call center script—the attacker always wins.
At Token, we took a different approach. One built on this core principle:
Authentication should not rely on trust. It should rely on cryptographic proof and biometric presence.
Here’s how Token Ring and Token BioStick eliminate the entire phishing playbook:
1. Phishing-Proof by Design
Each Token device generates a unique cryptographic key per website. During login, the site must prove its identity to the token using FIDO2/WebAuthn. If the domain doesn’t match—like chipotle-sso.com instead of chipotle.com —authentication is denied immediately.
2. Biometric Bound Access
Token requires a live fingerprint match to unlock credentials. Not a PIN. Not a face scan spoofable by a photo. A physical match, on-device, every time. If the user doesn’t touch the device, nothing gets signed.
Even if a hacker tricks the user into clicking the phishing link, Token won’t respond—because the spoofed domain isn’t registered, and the device won’t sign the request.
3. No Cloud, No Fallbacks, No Guesswork
Unlike passkeys, Token’s credentials aren’t synced to iCloud or Google accounts. There’s no SMS fallback, no backup passwords, and no one-time codes to relay. If someone steals the device, they still can’t log in—the biometric is required.
4. Proximity
Unless the hacker is 3 feet away from you, they're out of luck. Token products require proximity to the person logging in. Since Token products don’t support cellular or WIFI, they are limited by BLE’s range. That hacker in Russia that is 10,000 miles away? Dead in the water.
When companies say they’re “going passwordless,” they often mean they’ve added a few bells and whistles to existing MFA flows. That’s not enough.
What Token offers is a clean break from the entire trust-based model. No more:
Just a simple, secure, biometric check, cryptographically tied to the real site and executed in hardware. The attacker can’t replay it, can’t steal it, and can’t fake it.
Worried about complexity? Don’t be. Token Ring and BioStick can be deployed in a day, integrate with your existing SSO or IdP, and require no user training beyond “tap your fingerprint.”
We’ve built Token for exactly the kind of environment Scattered Spider is targeting—large enterprises with diverse infrastructure, remote access needs, and mission-critical systems that cannot afford a breach.
With 500+ phishing domains in play and growing, the question isn’t if your brand will be impersonated—it’s when.
If your MFA can be tricked by a spoofed login page, or your passkey hijacked via a cloud account reset, you are vulnerable.
Token Ring and Token BioStick aren’t just more secure—they’re unphishable, unspoofable, and unmatched.
It’s time to move beyond the illusion of security and adopt authentication that simply cannot be compromised—no matter how clever the attacker is.
Let Scattered Spider spin all the fake domains they want.
With Token, they’ll get caught in their own web.