What: Scattered Spider, a sophisticated cybercrime group of young English-speaking hackers, has launched devastating attacks on major UK retailers including M&S, Harrods, and Co-op, combining social engineering with ransomware tactics to cause widespread operational disruption and financial losses.

Why it is important: This coordinated assault on major UK retailers demonstrates the growing vulnerability of integrated retail systems, with recent data showing 30% of retail security incidents now involve ransomware and 41% occur through third-party breaches, highlighting urgent needs for enhanced protection.

Trustwave SpiderLabs' investigation reveals a sophisticated threat group known as Scattered Spider, whose members are predominantly young English speakers aged 17-22 from Western countries. The group has evolved from targeting telecommunications companies to launching devastating attacks on major retailers, demonstrating their ability to combine technical expertise with sophisticated social engineering tactics. Their recent assault on the UK retail sector has significantly impacted operations at Marks & Spencer, Harrods, and Co-op, forcing the suspension of contactless payments and digital services. The group's methodology involves multi-stage approaches, including sophisticated phishing campaigns, direct communication with help desks, and exploitation of identity management systems. Their monetisation strategy primarily involves ransomware deployment and double extortion tactics, as evidenced by previous attacks on MGM Resorts and Caesars Entertainment. The group's success stems from their native English-speaking capabilities and understanding of corporate environments, allowing them to effectively manipulate staff through various communication channels. Recent law enforcement actions have resulted in some success, including the arrest of a 19-year-old member in Florida, though the group maintains active operations and continues to pose a significant threat to retail operations worldwide.

IADS Notes: The recent wave of Scattered Spider attacks marks a critical escalation in retail cybersecurity threats, as evidenced by the devastating impact on major UK retailers. In April 2025, M&S suffered losses of £3.5 million in daily digital sales and saw £700 million wiped from its market value, while in May 2025, Co-op's subsequent breach exposed data of up to 20 million customers. These incidents reflect broader industry vulnerabilities identified in April 2025 research, showing ransomware accounting for 30% of retail security incidents, with average losses reaching £1.4 million per attack. The sophistication of these threats was dramatically demonstrated in March 2025 when a single security update failure resulted in £5.4 billion in losses across Fortune 500 companies. The retail sector's susceptibility to such attacks is further complicated by its reliance on third-party providers, with February 2025 data revealing that while 86% of retailers use external tools, only 13% fully understand their data collection practices. This series of attacks has prompted a fundamental shift in industry approach, leading to 10% increases in cyber insurance premiums and forcing retailers to prioritise rapid recovery capabilities over complete risk avoidance.

Trustwave SpiderLabs’ insights, history, and mitigations for Scattered Spider