British authorities have arrested four individuals in connection with a series of cyberattacks that disrupted operations at major U.K. retailers—Marks & Spencer, Co-op, and Harrods—earlier this year. The National Crime Agency (NCA) announced the arrests on July 10th following a coordinated operation that targeted suspected members of the notorious hacking group known as Scattered Spider.
The suspects—two 19-year-old men (one Latvian and one British), a 20-year-old British woman, and a 17-year-old male—were taken into custody during raids across London, Staffordshire, and the West Midlands. Electronic devices were seized at all three locations, and the individuals are currently being held on suspicion of committing offences under the Computer Misuse Act, along with blackmail, money laundering, and participation in organized crime.
Retail disruption costing hundreds of millions
The arrests follow months of investigation into a coordinated campaign of cyber intrusions that began in April. Marks & Spencer was the first to be impacted, with online services disrupted beginning April 17th, affecting everything from website access to contactless payments and click-and-collect orders. The attack forced the company to suspend digital operations for nearly seven weeks, with estimated financial losses reaching £300 million.
Co-op and Harrods were also targeted in the same time frame, though both companies managed to isolate the attacks more swiftly, limiting the damage. Still, the wave of attacks sent shockwaves through the U.K. retail sector, raising urgent questions about the cyber resilience of even the country's most established brands.
Ties to Scattered Spider and social engineering tactics
Authorities believe the individuals arrested are connected to Scattered Spider, a decentralized hacking collective known for using social engineering and SIM-swapping to infiltrate corporate systems. The group has previously been linked to the DragonForce ransomware-as-a-service operation and has been associated with other high-profile breaches in the United States and Europe.
Scattered Spider is known for its sector-specific targeting strategy, focusing on one industry at a time. Recently, the group has reportedly shifted attention from retail to the insurance sector, according to threat intelligence from Google’s cybersecurity team.
NCA: 'A significant step' in a high-priority investigation
Paul Foster, Deputy Director of the NCA's National Cyber Crime Unit, called the arrests a significant step in an ongoing investigation that remains one of the agency's highest priorities.
"Since these attacks took place, specialist NCA cybercrime investigators have been working at pace," Foster said. "Today's arrests are a significant step in that investigation, but our work continues, alongside partners in the U.K. and overseas, to ensure those responsible are identified and brought to justice."
Foster also praised the retailers involved for their full cooperation with the investigation and highlighted the broader importance of public-private collaboration in responding to cyber threats.
“Cyberattacks can be hugely disruptive for businesses, and I'd like to thank M&S, Co-op, and Harrods for their support," he said. "Hopefully, this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help."
Continued threats, continued response
The broader campaign against these retailers represents one of the most damaging coordinated cyberattacks to hit the U.K. retail sector in recent memory. It underscores the growing threat posed by sophisticated cybercriminal groups that rely not only on malware and ransomware but also on human manipulation, tricking IT staff, resetting credentials, and bypassing security controls with alarming ease.
As forensic analysis of the seized devices continues, the NCA states that it is working closely with international partners to identify and track down additional suspects and prevent future attacks. Experts say the case is another example of how young cyber actors—some barely out of their teens—are increasingly capable of executing highly disruptive operations with global reach.
While the investigation is ongoing, the arrests mark a significant blow to Scattered Spider's operations and demonstrate how rapid, coordinated law enforcement efforts can help disrupt even the most elusive cybercriminal networks.
Follow SecureWorld News for more stories related to cybersecurity.
