British Police Arrest Four in Connection with Cyberattacks on Major Retailers
The UK’s National Crime Agency (NCA) has arrested four individuals suspected of carrying out cyberattacks against prominent British retailers, including Marks & Spencer, Co-op, and Harrods.
The suspects—two 19-year-old men, a 17-year-old minor, and a 20-year-old woman—were detained in coordinated operations across London and the West Midlands. One suspect is a Latvian national; the others are UK citizens.
During the arrests, authorities seized electronic devices believed to contain evidence and leads that may help identify additional conspirators.
The individuals face multiple charges, including violations of the Computer Misuse Act, blackmail, money laundering, and participation in an organized crime group.
The attacks, which took place in April and May 2025, caused widespread disruption and financial losses across the retail sector. Marks & Spencer alone reported losses of $402 million, citing the suspension of online operations and the confirmed theft of customer data.
The attackers attempted to deploy DragonForce ransomware during the breaches at both Co-op and Marks & Spencer. Co-op’s cybersecurity team successfully thwarted the attempt by shutting down systems in time. Marks & Spencer, however, was not as fortunate—their systems were compromised, and virtual machines running VMware ESXi were encrypted.
DragonForce, active since December 2023, refers to itself as a “ransomware cartel.” The group recently launched a white-label service, allowing affiliates to use its infrastructure under their own branding.
Investigators noted that the tactics used in the Marks & Spencer attack resembled those employed by the Scattered Spider group, particularly in their use of social engineering. While the NCA did not directly attribute the attacks to Scattered Spider, the suspects’ age, methodology, and linguistic profile align with the group’s known characteristics.
Also known as Starfraud, Octo Tempest, Muddled Libra, 0ktapus (Group-IB), UNC3944 (Mandiant), and Scatter Swine (Okta), Scattered Spider has been active since 2022. The group initially targeted companies in CRM, BPO, telecom, and tech sectors, using SIM-swapping and other sophisticated forms of social engineering to gain access to internal systems.
Scattered Spider has been linked to high-profile ransomware attacks involving BlackCat (ALPHV), Qilin, and RansomHub, including headline-making breaches of MGM Resorts and Caesars Entertainment.
In late 2023, Mandiant reported that Scattered Spider had compromised more than 100 organizations, primarily across the United States and Canada. Analysts believe the core members are English-speaking individuals aged 16 to 22.
Cybersecurity journalist Brian Krebs has linked some of these individuals to “The Com”—short for “The Community”—a loosely connected cybercrime ring that evolved from financial fraud into large-scale extortion and corporate espionage.
Originally known for stealing cryptocurrency through phishing and SIM-swap attacks, The Com has shifted toward ransomware and data extortion. Its members now operate in increasingly organized structures.
After a wave of attacks on UK retailers earlier this year, the group’s focus reportedly turned to U.S. insurance companies, followed by aviation and transportation sectors. Scattered Spider is suspected in recent data breaches at Qantas (Australia), WestJet (Canada), and Hawaiian Airlines in June 2025.
Sources say the UK arrests could significantly disrupt Scattered Spider’s operations, at least temporarily, as remaining members go underground to avoid detection.
Krebs also identified two of the detained individuals as Owen David Flowers (aka bo764, Holy, Nazi) and Thalha Jubair (aka Earth2Star, Operator). Jubair is reportedly a former member of the notorious LAPSUS$ group—another offshoot of The Com—and is said to have operated as an administrator on Doxbin, a website used for publishing and accessing stolen personal information.
