NCA Arrest 4 Suspects For The Devastating Cyberattacks On M&S, Co-op & Harrods

Four individuals have been arrested by the UK’s National Crime Agency (NCA) in connection with cyber-attacks that severely disrupted operations at Marks & Spencer (M&S), Harrods and the Co-op.

A 20-year-old woman was detained in Staffordshire, while three males—aged 17 to 19—were arrested in London and the West Midlands. One of the suspects, a 19-year-old man, is a Latvian national; the others are British.Their identities have not been disclosed.

The arrests were made in the early hours of Thursday at the suspects’ homes. Police also seized various electronic devices. The individuals are being held on suspicion of offences under the Computer Misuse Act, as well as blackmail, money laundering, and involvement in an organised crime group.

Paul Foster, head of the NCA’s National Cyber Crime Unit, described the arrests as a “significant step” in the investigation. “Our work continues, alongside UK and international partners, to ensure those responsible are identified and brought to justice,” he said.

The cyber-attacks began in mid-April and have caused extensive disruption. M&S was the first to be breached. Large volumes of personal data belonging to customers and employees were stolen. Ransomware was then deployed, rendering IT systems inoperable unless payment was made. The attackers sent an offensive email to the M&S CEO, demanding a ransom in order to restore its systems.

M&S, operations have been severely affected, with some IT systems expected to remain offline until October or November. The retailer estimates the incident will result in £300 million in lost profits. The chairman of M&S told MPs this week that the hack appeared to be a deliberate attempt to destroy the business.

Co-op also suffered major impacts, with some store shelves left empty for weeks. The company confirmed the breach only after hackers provided proof, alleging that Co-op had downplayed the severity of the attack. It was later learned that Co-op narrowly avoided a ransomware deployment by disconnecting its IT systems from the internet just in time.

The Cyber Monitoring Centre (CMC) has categorized the April 2025 attacks on Marks & Spencer and Co-op as a “single combined cyber event,” estimating financial damages between £270 million ($363 million) and £440 million ($592 million).

Luxury department store retailer Harrods was also targeted, although the attack caused less disruption. Like Co-op, Harrods took precautionary measures by taking its systems offline to prevent further intrusion.

The NCA’s operation was supported by officers from the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit. Investigations are ongoing, both in the UK and abroad.

While the NCA has not named the criminal group involved, experts suspect the cybercrime collective known as Scattered Spider may be behind the incidents. The group is notorious for its sophisticated social engineering tactics and ransomware deployments, often targeting even well-secured organizations.

Scattered Spider, also known as UNC3944, is a cybercriminal group primarily composed of teenagers and young adults, believed to reside in the United States and the United Kingdom.

The group rose to prominence following high-profile cyberattacks and extortion attempts targeting major casino operators Caesars Entertainment and MGM Resorts International. Beyond these, they have also reportedly targeted companies such as Visa, PNC Financial, Transamerica, New York Life, Synchrony Financial, Truist Bank, Twilio, and, more recently, Snowflake customers.

Scattered Spider typically relies on sophisticated social engineering tactics and deception to gain initial access to an organization. Common entry points include SMS-based phishing (smishing) and voice phishing (vishing). The group is also known to contact external-facing help desks, impersonating legitimate users in an effort to reset passwords or bypass multi-factor authentication (MFA), thereby gaining unauthorized account access.

Their operations often escalate to large-scale data theft and ransomware deployment. This leads to double extortion scenarios, where victims are coerced into paying both to recover their encrypted data and to prevent the public release of stolen information.

Known tactics include:

• Help desk impersonation: Uses social engineering to convince help desks to reset passwords and MFA material for targeted administrators or other privileged accounts 

• Double extortion to monetize their breaches, both encrypting and threatening to release data 

• Active Directory Compromise: Known to extract NTDS.dit from Domain Controllers – the primary credential-holding database for Active Directory 

• Lateral movement: Known to abuse RDP, SSH, PsExec and Scheduled Tasks to move across systems within a network 

• Persistence via RMM tools: Abuses remote monitoring and management platforms like AnyDesk to maintain access 

• Ransomware deployment: Has been observed using the DragonForce Ransomware-as-a-Service (RaaS) variant to execute attacks 

Alternate Names and Affiliations

While most commonly referred to as Scattered Spider in media and press releases, the group has also been labeled Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra. They are considered part of a broader cybercriminal ecosystem known as “the Community” or “the Com”, which includes individuals responsible for breaches of major U.S. tech firms.

Origins and Early Tactics

Formed around May 2022, Scattered Spider initially focused on attacks against telecommunications companies. Their methods included SIM swapping, MFA fatigue attacks, and phishing via SMS and Telegram. They exploited vulnerabilities like CVE-2015-2291, a Windows anti-DoS flaw, to disable security software and evade detection. The group is known for its technical sophistication, particularly in cloud platforms like Microsoft Azure, Google Workspace, and AWS, often leveraging legitimate remote-access tools.

Transition to Critical Infrastructure & Casinos

After targeting infrastructure sectors, the group shifted focus to casinos in 2023.

MGM Resorts Hack

On September 11, 2023, Scattered Spider infiltrated MGM Resorts by impersonating an employee during a call to the company’s help desk, using LinkedIn for social engineering. The next day, MGM reported the breach in a Form 8-K filing with the SEC. The attack disabled hotel systems, including ATMs, room keys, food and beverage credits, and parking charges. Scattered Spider partnered with ALPHV, a ransomware-as-a-service (RaaS) provider.

In July 2024, a 17-year-old from the UK was arrested in connection to the hack. He was released on bail pending trial.

Caesars Entertainment Hack

Scattered Spider reportedly extorted Caesars Entertainment by demanding a $30 million ransom, of which the company paid $15 million. The breach compromised personal data including driver’s license and potentially Social Security numbers. Caesars admitted it could not guarantee the deletion of the stolen data.

There is some dispute over whether Scattered Spider was solely responsible for the Caesars attack, with conflicting reports suggesting involvement from another group.

Aftermath and Lawsuits

Both companies experienced stock drops following the attacks. MGM’s CEO admitted the company was “completely in the dark” during the incident. The FTC and FBI launched investigations, and Moody’s warned of potential credit rating downgrades due to MGM’s operational disruption.

Class-action lawsuits were filed against both MGM and Caesars, alleging negligence in securing customer data. In January 2025, MGM settled for $45 million.

Snowflake Data Breaches

Scattered Spider members were later tied to breaches involving Snowflake customers, where they stole large volumes of data and demanded ransoms. Victims included AT&T, Ticketmaster, Advance Auto Parts, LendingTree, and Neiman Marcus, among nearly 100 organizations.

To safeguard against threats such as Scattered Spider, implement the following security measures:

• Strengthen Help Desk Procedures: Enforce strict identity verification to reduce the risk of social engineering attacks.
• Use Phishing-Resistant MFA: Implement multi-factor authentication methods like number matching or hardware tokens instead of basic push notifications for all remote access.
• Ensure Complete Endpoint Coverage: Deploy and maintain fully configured Endpoint Detection and Response (EDR) tools with real-time alert monitoring across all devices.
• Filter Web Traffic: Utilize web proxies to block access to suspicious or malicious websites.
• Monitor Critical Data Stores: Leverage solutions like Varonis to identify unusual data access patterns that may signal a breach in progress.
• Run Red-Team Exercises: Regularly simulate attacks, especially those targeting Active Directory, to identify and address vulnerabilities.
• Restrict Server Internet Access: Enforce default-deny firewall rules and only allow essential domains and IP addresses.
• Keep Systems Updated: Regularly patch and update all operating systems and applications to close security gaps.
• Maintain Secure Backups: Store backups offline and test them frequently to ensure reliable recovery during an incident.