UK Arrests Four In Major Retail Cyber Attacks On M&S, Co-op, Harrods

HomeNews* Authorities arrested four people in the U.K. for cyber attacks on major retailers.

• The attacks affected Marks & Spencer, Co-op, and Harrods, with losses estimated up to $592 million.
• Suspects are linked to the organized cybercrime group known as Scattered Spider.
• Attackers used advanced social engineering and Ransomware tactics to breach organizations.
• Experts advise organizations to strengthen verification procedures and adopt robust security measures to protect against similar threats. On Thursday, the U.K. National Crime Agency (NCA) arrested four individuals in connection with cyber attacks that targeted major retailers Marks & Spencer, Co-op, and Harrods. The suspects, aged 17 to 20, were apprehended at their residences in the West Midlands and London. Authorities seized electronic devices as evidence.

• Advertisement - Officials charged the suspects with offenses including computer misuse, blackmail, money laundering, and involvement in an organized crime group. According to the NCA, these arrests followed a focused investigation into cyber incidents that caused significant disruptions and losses.

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, in an official statement. “Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the U.K. and overseas, to ensure those responsible are identified and brought to justice.”

According to the Cyber Monitoring Centre, the cyber attacks against Marks & Spencer and Co-op in April 2025 were labeled a “single combined cyber event,” causing losses estimated between $363 million and $592 million. The NCA has not confirmed the exact group behind the attacks but reports indicate the involvement of the decentralized crime crew known as Scattered Spider. This group uses tactics like social engineering—tricking people into giving up confidential information—and ransomware, which is malicious software that locks data until a ransom is paid.

During a recent U.K. Parliament committee hearing, Marks & Spencer stated that the attack on its network was ransomware-based and connected to the DragonForce ransomware group, who reportedly worked with other affiliated actors.

Security experts highlight that Scattered Spider mostly consists of young, native English speakers who use fake calls to IT help desks to gain access. The group is reportedly part of a wider collective called The Com, which carries out crimes like phishing, SIM swapping, extortion, and social engineering across different industries.

Google-owned Mandiant explained that Scattered Spider tends to focus on one industry at a time, using phishing websites that mimic real company logins to steal user credentials. “Organizations can take proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant multi-factor authentication to defend against these intrusions,” said Charles Carmakal, CTO at Mandiant Consulting. Carmakal also described the arrests as “a significant win” in the fight against the e-crime syndicate, emphasizing the importance of international cooperation to curb such threats.

• Advertisement - Previous actions against this group have led to temporary drops in activity, according to experts, offering organizations a chance to bolster their defenses before further attacks occur.

Previous Articles:

• SharpLink Nears Record as Biggest Corporate Ethereum Holder
• Bitcoin Shatters $116K Record, Over $560M in Shorts Liquidated
• Critical MCP-Remote Vulnerability Enables Remote OS Command Execution
• Tesla to Expand Robotaxi Service in Austin, Bay Area This Weekend
• BIS Finds Tokenized Government Bonds Offer Tighter Market Spreads

• Advertisement -