By Cicero’s Computer Correspondent | June 12, 2025
LONDON – A notorious cyber gang with alleged ties to both sides of the Atlantic has been accused of orchestrating a devastating series of ransomware attacks on British retail giants Marks & Spencer and the Co-operative Group, prompting a sweeping joint investigation by the UK’s National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI).
The group, known as Scattered Spider, has emerged as a leading name in cybercrime circles. Believed to be made up largely of teenagers and young adults operating in the UK and the United States, the gang has been linked to a wave of high-profile digital raids targeting sectors from hospitality to healthcare. Their most recent foray into UK retail has drawn global scrutiny.
In April 2025, M&S fell victim to a crippling ransomware attack that paralysed its supply chain and exposed the personal data of nearly 9.4 million customers.
According to internal sources, staff were forced to sleep onsite as warehouse systems failed and in-store card terminals flickered out across the country.
Shortly after, Co-op was also targeted in a similarly brutal digital assault. The attackers allegedly used social engineering tactics to gain access to internal systems, extracting the Active Directory database, potentially compromising tens of millions of records.
Both attacks are now confirmed to involve the DragonForce ransomware, a new malware strain marketed via a “ransomware-as-a-service” cartel, increasingly used by Scattered Spider affiliates.
DragonForce ransomware group poses a severe threat with two ransomware variants —a LockBit fork and a customised Conti fork with advanced features and SystemBC malware.
A source close to UK intelligence described the cyber spree as “a coordinated, deliberate effort to undermine UK critical business infrastructure with psychological, economic, and technological impact.”
The NCA confirmed on Monday that the same gang is a prime suspect in both breaches and is actively being pursued across multiple jurisdictions. In collaboration with the FBI’s Cyber Division, several arrests have already taken place, including:
1. A 17-year-old boy in Walsall, tied to the Las Vegas MGM casino cyberattack
2. A 22-year-old Briton arrested in Spain is believed to be a Scattered Spider organiser
3. Multiple US-based teenagers, including a 19-year-old dubbed “King Bob,” were arrested in Florida
Despite these breakthroughs, authorities admit the group remains “active, agile, and difficult to disrupt entirely,” due to its decentralised structure and use of cloud-based RATs (Remote Access Trojans), SIM-swapping, and multi-factor fatigue attacks.
The DragonForce ransomware operation—believed to have splintered from leaked LockBit and Conti code—allows affiliate gangs to rent its digital tools in exchange for a cut of ransoms, turning amateur hackers into potent threats overnight.
One law enforcement official described it as “a tech-savvy crime-as-a-service model with all the ferocity of organised crime but none of the fingerprints.”
Marks & Spencer’s losses are estimated at £300 million, with analysts suggesting an additional £600 million wiped off its market value. Co-op’s incident has forced a near-total overhaul of its IT architecture.
Both companies have since confirmed their cooperation with investigators and strengthened their cyber defences, though industry experts warn this may be just the beginning.
Brief History of Scattered Spider
Scattered Spider, an Advanced Persistent Threat group, has been targeting financial targets since 2022.
They initially targeted telecommunications companies for SIM-swapping capabilities, then contacted victims directly to gain access.
By 2023, they partnered with BlackCat ransomware creators to breach Caesars Entertainment and MGM Resorts.
Scattered Spider’s strategy now focuses on high-value corporate organizations, requiring constant alertness.
Their multi-tiered tactics keep telecom providers at the inlet, requiring constant alertness. They also use look-alike domains to impersonate victims, such as “victimname-sso.com” where they host fake Okta login pages.
The BBC have recently reported on these attacks you can see “Inside the High Street Cyberattacks” here
The Bigger Picture
These attacks signal a growing trend in “retail cyberterrorism”, where high-street brands become the frontline victims of ideological mischief and financial blackmail.
The NCA and FBI have now prioritised the dismantling of Scattered Spider as part of a broader strategy to neutralise ransomware syndicates targeting Western economies. However, officials caution that for every affiliate arrested, others quickly emerge.
As the lines blur between cybercrime, youth misadventure, and digital mercenary work, one truth remains: retail, like every other sector, is no longer safe from the web’s darkest corners.
—
If you have any information related to Scattered Spider, DragonForce, or ransomware activity in your organisation, contact the NCA’s cybercrime division confidentially.
