Major Breakthrough: Four Arrested in £440M Cyber Attacks on UK Retail Giants

Breached Company

10 Jul 2025 — 7 min read

NCA Makes Significant Progress in Investigation into Attacks on M&S, Co-op, and Harrods

Bottom Line Up Front: Four young people, including a 17-year-old and three individuals aged 19-20, have been arrested by the UK's National Crime Agency in connection with devastating cyber attacks that cost major retailers up to £440 million and forced Marks & Spencer offline for nearly seven weeks.

https://www.nationalcrimeagency.gov.uk/news/retail-cyber-attacks-nca-arrest-four-for-attacks-on-m-s-co-op-and-harrods

In a significant development in one of the UK's most high-profile cybercrime investigations, the National Crime Agency (NCA) announced Thursday the arrest of four individuals connected to ransomware attacks that crippled major British retailers earlier this year.

The Arrests: Young Suspects Behind Massive Disruption

The coordinated arrests took place Thursday morning (July 10, 2025) across London, the West Midlands, and Staffordshire. Two males aged 19, another aged 17, and a 20-year-old female were apprehended at their home addresses on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group. One of the 19-year-old men is from Latvia, while the others are British nationals.

All four had their electronic devices seized for digital forensic analysis and remain in custody for questioning by officers from the NCA's National Cyber Crime Unit. The operation was supported by the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit.

The Attacks: A Perfect Storm for UK Retail

The arrests stem from a series of devastating cyber attacks that struck three of Britain's most prominent retailers within weeks of each other in April and May 2025:

Marks & Spencer: The Hardest Hit

M&S suffered the most severe attack, with a ransomware incident that forced the company to suspend online clothing sales for nearly seven weeks and cost it approximately £300 million ($400 million) in operating profit. Sources indicate that threat actors infiltrated the company's environment as early as February 2025, stealing the Active Directory database before ultimately deploying the DragonForce ransomware encryptor on VMware ESXi hosts on April 24th.

The attack severely disrupted M&S's digital operations, affecting everything from online ordering to in-store payment systems. M&S chairman Archie Norman told MPs earlier this week that the cyber attack had been "traumatic" and likened the experience to an "out-of-body" moment. When pressed about whether the retailer paid a ransom, Norman declined to comment, citing ongoing cooperation with law enforcement.

Co-op: Swift Response Limits Damage

The Co-op Group was targeted in a similar attack shortly after M&S. Co-op moved to a "recovery phase" in May, having suffered severe availability issues during the attack. An internal memo from Co-op's CIO revealed that VPN access was suspended for all staff, and employees were cautioned to be extremely vigilant on email and Microsoft Teams, with meetings requiring camera verification of all attendees.

Co-op saw payments disrupted and shelves become bare from May because of the fallout of its cyber attack. Hackers also stole Co-op members' personal data, such as names and contact details. However, the company's rapid response appears to have prevented the worst-case scenario.

Harrods: Luxury Retailer Under Siege

Harrods confirmed in May that it had experienced "attempts to gain unauthorised access" to its systems, prompting immediate action from its IT security team and restricting internet access across its websites. While the luxury department store managed to keep its physical stores operational, the incident highlighted the broad scope of the attackers' targeting.

The Threat Actors: A Web of International Cybercrime

Investigations have revealed a complex web of cybercriminal collaboration behind these attacks. The attacks on M&S, Co-op and Harrods have been attributed to Scattered Spider - a loose affiliation of hackers, many thought to have English as their first language - and ransomware-as-a-service group DragonForce.

Scattered Spider: The Access Specialists

Scattered Spider (also known as Roasting 0ktapus and Scatter Swine) is a financially motivated threat actor that has been actively operating since May 2022. The group is believed to be responsible for ransomware attacks two years ago on casino giants MGM Resorts and Caesars Entertainment.

One of the most notable things about Scattered Spider is their adeptness at social engineering, defence evasion, and advanced persistence mechanisms. The group specializes in sophisticated social engineering attacks, including phishing, SIM swapping, and multi-factor authentication bombing to gain initial access to target networks.

DragonForce: The Ransomware Cartel

DragonForce is a ransomware operation that launched in December 2023 and has recently begun promoting a new service where they allow cybercrime teams to white-label their services. In March 2025, the group launched "RansomBay," a white-label service that lets affiliates rebrand the ransomware under a different name. Affiliates pay a 20% cut of any ransom haul and keep the rest, while DragonForce handles the underlying infrastructure, technical support and leak-site hosting.

As of this month, DragonForce has listed 158 victims, and in March the crew rebranded itself as a "cartel" that enables affiliates to create their own brands.

Financial Impact: Staggering Costs Across Retail Sector

According to the Cyber Monitoring Centre (CMC), the April 2025 cyber attacks targeting Marks & Spencer and Co-op have been classified as a "single combined cyber event" with a financial impact of anywhere between £270 million ($363 million) and £440 million ($592 million).

The attacks came during a critical period for retailers, with the Easter season representing a significant sales opportunity. M&S was the first of the retailers to be targeted by the hackers, with the retailer shutting a raft of systems down in response on Easter Sunday.

Law Enforcement Response: International Collaboration

Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said: "Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency's highest priorities."

Earlier this week, M&S's chairman Archie Norman declined to directly answer whether or not the retailer paid cyberattackers a ransom, when asked the question by MPs. On Tuesday, Marks & Spencer Chairman Archie Norman told lawmakers that the retailer had also contacted the U.S. FBI regarding the cyberattack.

Foster emphasized the importance of victim cooperation, stating: "Cyber attacks can be hugely disruptive for businesses and I'd like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help."

Broader Implications: Rising Threat to Retail Sector

The attacks represent part of a troubling trend targeting the retail sector. Retail organizations accounted for 11 percent of data leak site victims in 2025 thus far, up from about 8.5 percent in 2024 and six percent in 2022 and 2023.

Google's Mandiant threat intelligence team issued a warning that the criminal group behind the UK attacks has now turned its attention to similar companies in the United States. This international expansion highlights the global nature of the threat and the need for coordinated international response.

Corporate Statements: Gratitude for Law Enforcement Action

The affected retailers welcomed the arrests while emphasizing their ongoing cooperation with authorities:

M&S spokeswoman: "We welcome this development and thank the NCA for its diligent work on this incident."
Co-op spokeswoman: "Hacking is not a victimless crime... Throughout this period, we have engaged fully with the NCA, and relevant authorities and are pleased on behalf of our members to see this had led to these arrests today."

Looking Forward: Ongoing Investigation

Foster noted that "Today's arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice."

The investigation remains active, with authorities continuing to work with international partners to identify and prosecute all individuals involved in these sophisticated attacks. The arrests of such young perpetrators also highlight concerns about youth involvement in serious cybercrime and the need for prevention and education efforts.

The case serves as a stark reminder of the vulnerability of major corporations to sophisticated social engineering attacks and the critical importance of robust cybersecurity measures, particularly in sectors that handle sensitive customer data and financial transactions.

This story is developing. The suspects remain in custody as the investigation continues.