The U.K. National Crime Agency (NCA) has announced the arrest of four individuals in connection with significant cyber attacks targeting major British retailers, including Marks & Spencer, Co-op, and Harrods. The arrests, made across the West Midlands and London, are a crucial development in the ongoing investigation into a series of sophisticated cybercrimes that have caused considerable financial damage. The operation highlights the growing threat of organized cybercrime groups and the U.K. law enforcement’s efforts to combat them.
The individuals arrested include two 19-year-old men, a 17-year-old male, and a 20-year-old woman. They are suspected of offenses under the Computer Misuse Act, blackmail, money laundering, and involvement with an organized crime group. All four were apprehended at their residences, and investigators have seized electronic devices for forensic analysis. The NCA emphasized that the investigation remains a top priority, with ongoing collaboration with domestic and international partners to identify and bring all responsible parties to justice.
NCA Arrests Suspects in Major Retail Cyber Attacks
The cyber attacks, which primarily affected Marks & Spencer and Co-op in April 2025, have been classified by the Cyber Monitoring Centre (CMC) as a single, combined cyber event. The estimated financial impact is substantial, ranging from £270 million ($363 million) to £440 million ($592 million). While the NCA has not publicly identified the specific organized crime group involved, intelligence suggests a potential link to the decentralized cybercrime crew known as Scattered Spider. This group is recognized for its advanced social engineering tactics, which it uses to infiltrate organizations and deploy ransomware.
In a U.K. Parliament hearing on July 8, Marks & Spencer confirmed that the attack on its systems was ransomware-related and attributed it to the DragonForce ransomware group, working in conjunction with other “loosely aligned” actors. Experts note that while ransomware remains a persistent threat, organizations like Scattered Spider present a particularly capable and resilient adversary. Their effectiveness stems from a combination of social engineering expertise and a relentless pursuit of initial access, even against organizations with robust security measures.
The majority of individuals associated with financially motivated cybercrime groups like Scattered Spider are often young, native English speakers. This demographic profile can be advantageous for them, allowing them to build trust with targets through simulated IT help desk calls, impersonating employees to extract sensitive information. Scattered Spider is believed to be part of a larger, loosely structured collective known as The Com, which is implicated in a wide array of criminal activities, including social engineering, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping, and even murder.
Scattered Spider: Tactics and Impact
According to cybersecurity analysts, Scattered Spider exhibits a calculated and opportunistic targeting strategy. They reportedly rotate their focus across different industries and geographical locations, driven by factors such as visibility, potential financial returns, and law enforcement scrutiny. Google-owned Mandiant has observed that Scattered Spider tends to concentrate on a single sector at a time while maintaining consistent tactics, techniques, and procedures (TTPs). A common tactic involves setting up phishing domains that closely mimic legitimate corporate login portals, designed to trick employees into divulging their credentials.
To counter such threats, cybersecurity experts recommend proactive measures such as enhanced training for IT help desk staff on robust identity verification processes and the deployment of phishing-resistant multi-factor authentication (MFA). Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, described the recent arrests as a “significant win” in the fight against this e-crime syndicate and underscored the importance of international cooperation in addressing these complex threats. He noted that the group’s aggressive social engineering tactics and persistent pursuit of access have caused considerable damage to organizations in both the U.K. and the U.S.
Carmakal further stated that previous arrests of Scattered Spider members have led to noticeable lulls in their activities, creating a critical window for organizations to fortify their defenses against this collective. These law enforcement actions have historically disrupted their operations, highlighting the impact of targeted enforcement efforts on the group’s ability to mount large-scale attacks.
Update: Identified Suspects and Future Implications
Independent cybersecurity journalist Brian Krebs has identified two of the arrested 19-year-olds as Owen David Flowers, also known online as bo764, Holy, and Nazi, and Thalha Jubair, known as Earth2Star and Operator. Jubair is also alleged to have been a core member of the LAPSUS$ cybercrime group, another offshoot of The Com. He reportedly served as the administrator for Doxbin, a website used for doxing individuals, until recently. The arrests of these young individuals point to a pattern observed by threat researchers, where younger members are often the front-line operators in schemes that expose them to rapid investigation and prosecution.
Zach Edwards, a Threat Researcher at Silent Push, commented that the arrests signal law enforcement’s increasing focus on individuals involved in communities that facilitate serious, large-scale cybercrimes. He noted that Scattered Spider’s leadership may be increasingly exposing its younger members by shifting towards tactics that rely heavily on voice communication, such as voice phishing calls to customer support lines. This method, while perhaps appearing lucrative in the short term to the young operatives, creates a “fingerprint” that investigators can use to track them effectively. Edwards expressed surprise at this strategic shift, as it moves away from online infrastructure that offered greater anonymity and protection.
The ongoing investigation and these arrests represent a significant step in dismantling the operational capabilities of groups like Scattered Spider. The U.K. NCA and its international partners will likely continue to pursue leads and apprehend further individuals involved. The effectiveness of these efforts will depend on sustained international cooperation and the ability to adapt to the evolving tactics of sophisticated cybercrime syndicates. Organizations are advised to maintain vigilance and continuously strengthen their cybersecurity postures, particularly against social engineering and ransomware threats.