The U.K. National Crime Agency (NCA) announced the arrest of four individuals in connection with significant cyber attacks that targeted major retailers Marks & Spencer, Co-op, and Harrods. The apprehended suspects include two 19-year-old men, a 17-year-old, and a 20-year-old woman, who were taken into custody in the West Midlands and London. They face charges including Computer Misuse Act offenses, blackmail, money laundering, and participation in an organized crime group. Electronic devices were seized from their homes for forensic analysis, and their identities have not yet been disclosed. The NCA emphasizes that this investigation remains a top priority, and efforts are ongoing to identify and prosecute all responsible parties.
The cyber attacks, which occurred in April 2025, have been classified as a “single combined cyber event” by the Cyber Monitoring Centre (CMC), with an estimated financial impact ranging from £270 million to £440 million. While the NCA did not explicitly name the organized crime group involved, it is widely believed that the attacks were perpetrated by Scattered Spider, a decentralized cybercrime crew known for its advanced social engineering techniques and deployment of ransomware. Marks & Spencer, during a U.K. Parliament hearing, specifically identified the DragonForce ransomware group, working with other “loosely aligned” actors, as responsible for the attack on their systems.
Scattered Spider is particularly notable for its reliance on sophisticated social engineering tactics and persistent efforts to gain initial access to target organizations, even those with robust security programs.
Their success stems not from novel tactics, but from their expertise in manipulating individuals. The group is largely composed of young, native English speakers, which provides them an advantage in building trust through fake calls to IT help desks, posing as legitimate employees. This method allows them to bypass security measures and gain credentials.
Scattered Spider is part of a larger, loose-knit collective known as The Com, which is responsible for a wide array of criminal activities beyond cyber attacks, including phishing, SIM swapping, extortion, and even more violent crimes like swatting, kidnapping, and murder. Their targeting strategy is described as calculated and opportunistic, shifting across industries and geographies based on visibility, potential payout, and operational heat. They employ consistent core tactics, techniques, and procedures, such as setting up deceptive phishing domains that mimic legitimate corporate login portals to trick employees into revealing credentials.
The arrests of the alleged Scattered Spider members are being hailed as a significant victory in the fight against e-crime, underscoring the crucial role of international collaboration. Previous arrests have reportedly impacted Scattered Spider’s operations, causing periods of reduced activity. Independent cybersecurity journalist Brian Krebs identified two of the arrested 19-year-olds as Owen David Flowers and Thalha Jubair, with Jubair also being linked to the LAPSUS$ cybercrime group and the administration of Doxbin. Experts caution that Scattered Spider’s reliance on voice communication for phishing calls exposes their members to easier tracking and investigation, leading to a “get-put-in-jail-quick scheme” for young participants.
Reference:
