UK arrests four in retail cyberattack crackdown

British authorities have arrested four individuals in connection with ransomware attacks that disrupted M&S, Co-op, and Harrods earlier this year.

What happened

The UK’s National Crime Agency (NCA) arrested four suspects: a 17-year-old male, two 19-year-old males, and a 20-year-old female in coordinated raids in London and the West Midlands. One of the individuals is Latvian; the rest are English nationals. All four face charges under the Computer Misuse Act, along with blackmail, money laundering, and organized crime offenses.

The arrests follow a string of cyberattacks between late April and early May targeting major British retailers. Marks & Spencer suffered the most severe impact, pausing online orders and forcing customer-wide password resets after confirming a data breach. The attack is expected to cost the company approximately £300 million ($402 million) in losses.

Going deeper

The attackers reportedly attempted to deploy DragonForce ransomware at both M&S and Co-op. Co-op managed to shut down its systems in time, preventing full encryption. M&S, however, was successfully breached.

Investigators believe the suspects are linked to the group known as Scattered Spider, an English-speaking threat actor collective associated with past breaches of companies including MGM Resorts, Coinbase, Caesars, Reddit, and Riot Games. Although the NCA did not name Scattered Spider explicitly, investigators pointed to behavioral patterns and social engineering tactics consistent with the group’s known methods.

Electronic devices were seized during the arrests and will be examined to uncover potential links to additional actors or ongoing campaigns.

What was said

NCA Deputy Director Paul Foster stated, “Today’s arrests are a significant step in that investigation, but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”

Foster also noted that cybercrime investigators had made this case one of the agency’s top priorities due to the scope and impact of the attacks. Despite the arrests, officials cautioned that more suspects may be involved and that the wider network remains active online.

FAQs

What is the DragonForce ransomware used in the attacks?

DragonForce is a relatively new ransomware strain used to encrypt systems and extort payments. It’s designed for rapid deployment and is often paired with data exfiltration.

Why is Scattered Spider considered unique among cybercriminal groups?

Unlike many ransomware groups based in Eastern Europe, Scattered Spider is composed mostly of English-speaking members and relies heavily on social engineering to gain access to corporate systems.

How are retail companies typically targeted by these attackers?

Retailers are often vulnerable due to large customer databases, widespread use of third-party systems, and seasonal surges in online activity, all of which attackers can exploit using phishing or credential theft.

What legal consequences do arrested individuals face under UK law?

Charges under the Computer Misuse Act can lead to significant prison time, especially when paired with organized crime and money laundering allegations.

Could these arrests lead to more action against the broader group?

Yes. Digital evidence from seized devices may reveal additional members or operations, potentially enabling further arrests or disrupting ongoing campaigns.