LAS VEGAS (KTNV) — It’s been two and a half years since cyberattacks rocked the Las Vegas Strip, shutting down slot machines, locking guests out of rooms, and draining hundreds of millions from Ceasars Entertainment and MGM Resorts.
The suspects? Mostly Gen Z — including one teenage hacker now facing the possibility of being charged as an adult.
As part of a collaboration with ABC News Investigates, 13 Investigates is digging into the fallout and the changes casinos are making to fight back.
WATCH:
2023 cybersecurity incidents lead to Nevada Gaming Control Board changes
At least six people have been arrested in connection with the 2023 MGM Resorts cyberattack. Their ages ranged from 15 to 25 at the time. Their cases are still moving through courts, but the damage they caused has left permanent scars.
“It’s corporate terrorism at its finest,” MGM Resorts President and CEO Bill Hornbuckle said in 2023. “You don’t wish this on anybody.”
Separate Securities and Exchange Commission filings show both MGM and Caesars confirmed cyberattacks that disrupted operations, cost tens of millions of dollars, and exposed the personal data of thousands in their loyalty programs. MGM maintains it never paid a ransom.
JANUARY 2025: MGM Resorts settles class action lawsuit over 2023 cyberattack
MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023
Hackers used social engineering to infiltrate MGM’s systems. When the company spotted them, it shut down hotel and gaming systems to protect sensitive information.
“Nothing was working. The machine wouldn’t take the tickets,” a resort guest told us at the time. “It was just chaos.”
The recovery was costly.
“This is probably going to cost us in the range of $100 million,” Hornbuckle said. “It is covered by cyber insurance, thankfully. I can only imagine what next year’s bill will be.”
SEPTEMBER 2023: Couple cancels Las Vegas trip after cybersecurity attack
Tennessee couple canceled their trip to Las Vegas after news of the cybersecurity issues
In November 2024, the Department of Justice indicted four Americans and one British man tied to the Scattered Spider cybercrime group, the crew that claimed credit for the MGM attack.
The arrests started even earlier. In July 2024, a 17-year-old in the U.K. was charged with blackmail and computer misuse. Then, on Sept. 17, 2025, Las Vegas police and the FBI arrested a teenage male from Illinois accused of helping carry out the crippling attacks on MGM and Caesars. Police describe the incidents as sophisticated network intrusions orchestrated by Scattered Spider.
Charges against the teen include using someone’s personal information to harm or impersonate, extortion, conspiracy, and unlawful acts regarding computers.
The Clark County District Attorney’s Office has not identified the teen but said his case could be transferred to the criminal division, meaning he might face adult charges.
“I remember when Caesars and the MGM got hit about two and a half years ago,” said Hon. George Assad, who is part of the Nevada Gaming Control Board. “It was very chaotic for the licensees.”
That chaos pushed state gaming regulators to act. In January, the Nevada Gaming Commission made changes to how those incidents are reported.
Casinos must now report cyber incidents within 24 hours, follow up with an initial report or meeting within five days, and send written updates every 30 days until the matter is resolved.
You can read the full document below.
“It feels like we’re getting closer to actually have something that makes sense in the practical administration of this important issue,” Chair Mike Dreitzer said.
After Wynn Resorts was hit by a cyberattack this past February, the governor’s tech office issued a statewide alert warning employees that even urgent or routine-looking requests might be fraudulent.
You can read the alert below.
Cybersecurity professionals say there are ways to protect yourself:
- Do not click links or open files unless you know they are legitimate.
- Watch out for callers who pressure you to act fast or keep things secret.
- Never share passwords, codes, or account recovery information over email, text, or phone.
You can watch Minor Mayhem: The Hackers of Gen Z on ABC’s website and YouTube page.