NCA Arrests Four Suspects in Devastating Cyberattacks on M&S, Co-op & Harrods
13th July 2025, Kathmandu
The UK’s National Crime Agency (NCA) has made a significant breakthrough in the ongoing investigation into the severe cyberattacks that crippled operations at major retailers Marks & Spencer (M&S), the Co-op, and luxury department store Harrods.
NCA Arrests Four Suspects
Four individuals have been arrested in connection with the devastating incidents that began in mid-April.
In early morning raids on Thursday, a 20-year-old woman was detained in Staffordshire, alongside three males aged 17 to 19 arrested in London and the West Midlands. One of the suspects, a 19-year-old, is a Latvian national, while the others are British. Their identities have not yet been disclosed. Authorities seized various electronic devices from their homes. The suspects are being held on suspicion of offenses under the Computer Misuse Act, as well as blackmail, money laundering, and involvement in an organized crime group.
Paul Foster, head of the NCA’s National Cyber Crime Unit, lauded the arrests as a “significant step” in the complex investigation. “Our work continues, alongside UK and international partners, to ensure those responsible are identified and brought to justice,” he stated.
Widespread Disruption and Significant Financial Impact
The cyberattacks caused extensive and prolonged disruption across the affected businesses. M&S bore the brunt of the assault, with large volumes of customer and employee data stolen before ransomware was deployed, rendering IT systems inoperable. The attackers even sent an offensive email to the M&S CEO, demanding a ransom to restore operations.
M&S’s operations have been severely impacted, with some IT systems projected to remain offline until October or November. The retailer estimates the incident will result in a staggering £300 million in lost profits. The chairman of M&S recently told MPs that the hack appeared to be a deliberate attempt to destroy the business.
Co-op also suffered major disruptions, leading to empty store shelves for weeks. The company confirmed its breach only after hackers provided undeniable proof, amid allegations that Co-op had initially downplayed the attack’s severity. It was later revealed that Co-op narrowly averted a full ransomware deployment by disconnecting its IT systems from the internet just in time.
The Cyber Monitoring Centre (CMC) has categorized the April 2025 attacks on Marks & Spencer and Co-op as a “single combined cyber event,” estimating total financial damages between £270 million ($363 million) and £440 million ($592 million).
Luxury retailer Harrods was also targeted, though the attack resulted in less severe disruption. Similar to Co-op, Harrods took proactive measures by taking its systems offline to prevent further intrusion and mitigate damage.
Ongoing Investigation and Suspected Link to Scattered Spider
The NCA’s operation received support from regional organized crime units. Investigations are ongoing, extending both within the UK and internationally.
While the NCA has not officially named the criminal group involved, cybersecurity experts widely suspect the notorious cybercrime collective known as Scattered Spider (also called UNC3944, Star Fraud, Octo Tempest, Scatter Swine, or Muddled Libra) may be behind these incidents.
This group, primarily composed of teenagers and young adults believed to be in the US and UK, is infamous for its sophisticated social engineering tactics and aggressive ransomware deployments, even against well-secured organizations.
Scattered Spider rose to prominence following high-profile attacks on major casino operators Caesars Entertainment and MGM Resorts International in 2023. They have also reportedly targeted financial institutions and tech firms like Visa, PNC Financial, Twilio, and, more recently, customers of Snowflake.
Their common tactics include:
Social Engineering: Impersonating help desk personnel, SMS-based phishing (smishing), and voice phishing (vishing) to gain initial access.
MFA Bypass: Exploiting weaknesses to reset passwords or bypass multi-factor authentication.
SIM Swapping: Gaining control over phone numbers to bypass authentication.
Data Theft & Double Extortion: Stealing large volumes of data and deploying ransomware, then demanding payment to both decrypt data and prevent public release of stolen information.
Active Directory Compromise: Extracting critical credential databases like NTDS.dit.
Persistence: Abusing remote monitoring and management tools like AnyDesk.
Ransomware Deployment: Known to use DragonForce Ransomware-as-a-Service (RaaS).
The MGM Resorts hack, for instance, involved Scattered Spider impersonating an employee to gain help desk access, leading to widespread system outages. Similarly, Caesars Entertainment reportedly paid a $15 million ransom after a data breach attributed to the group. Members of Scattered Spider were also recently tied to breaches affecting numerous Snowflake customers, including AT&T and Ticketmaster.
Mitigating the Threat: Defensive Security Recommendations
To safeguard against sophisticated threats like Scattered Spider, organizations must implement robust security measures:
Strengthen Help Desk Procedures: Enforce strict identity verification to thwart social engineering.
Use Phishing-Resistant MFA: Deploy number matching or hardware tokens over basic push notifications for all remote access.
Ensure Complete Endpoint Coverage: Implement and monitor fully configured Endpoint Detection and Response (EDR) tools.
Filter Web Traffic: Use web proxies to block access to suspicious sites.
Monitor Critical Data Stores: Utilize tools to identify unusual data access patterns.
Run Red-Team Exercises: Regularly simulate attacks, especially targeting Active Directory, to find and fix vulnerabilities.
Restrict Server Internet Access: Employ default-deny firewall rules, allowing only essential traffic.
Keep Systems Updated: Regularly patch and update all operating systems and applications.
Maintain Secure Backups: Store backups offline and test them frequently for reliable recovery.
The arrests mark a significant development in bringing those responsible for these costly and disruptive cyberattacks to justice, while also serving as a stark reminder of the persistent and evolving threat posed by organized cybercrime groups.
For more: NCA Arrests Four Suspects
