The UK’s National Crime Agency (NCA) arrested four individuals suspected of involvement in attacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
Among those arrested are two 19-year-old teenagers, one 17-year-old teenager, and a 20-year-old woman, who were detained in London and the West Midlands. One of the arrested individuals is Latvian, while the others are British citizens.
It has been reported that the police have confiscated the suspects’ electronic devices to examine them for evidence or information that could help identify possible accomplices.
All suspects have been charged with offenses under the Computer Misuse Act, extortion, money laundering, and participation in an organized crime group.
The arrested individuals are believed to be connected to attacks on well-known retail chains in the United Kingdom, including Harrods, Co-op, and Marks & Spencer. The breaches occurred in April and May 2025, resulting in widespread store disruptions and negative impacts on businesses.
For example, Marks & Spencer estimates the damage from the attack at $402 million, as the company was forced to suspend online orders and later confirmed that hackers had stolen customer data.
During the attacks on Co-op and Marks & Spencer, the perpetrators attempted to deploy the DragonForce ransomware on the victims’ systems. However, the attack was only successful in the case of Marks & Spencer, as Co-op’s specialists managed to shut down their systems before the ransomware was deployed.
DragonForce describes itself as a “ransomware cartel” and has been active since December 2023. Recently, this group began promoting a new service that allows other hackers to use its services under their own “brands” (white-label).
In the case of the Marks & Spencer breach, social engineering tactics similar to those used by the Scattered Spider group were employed. As a result, the attackers successfully encrypted the VMware ESXi virtual machines hosted on the company’s servers.
Although the NCA does not mention Scattered Spider in its statement, the ethnicity, social engineering tactics, and age of those arrested match the typical profile of the group’s participants.
The Scattered Spider group is also known by other names: Starfraud, Octo Tempest, Muddled Libra, 0ktapus (Group-IB), UNC3944 (Mandiant), and Scatter Swine (Okta).
The group is believed to have been active since 2022, and its financially-motivated attacks were previously targeted at organizations operating in customer relationship management (CRM), business process outsourcing, telecommunications, and technology sectors.
Typically, hackers employ complex schemes involving social engineering, which are often associated with SIM card swapping (SIM swap). Specifically, Scattered Spider is known for high-profile attacks using the ransomware BlackCat (Alphv), Qilin, and RansomHub, including attacks against MGM Resorts and the casino network Caesars Entertainment.
Back in the fall of 2023, Mandiant specialists warned that Scattered Spider had hacked at least 100 organizations, primarily located in the United States and Canada. At that time, cybersecurity experts concluded that the main members of Scattered Spider are English-speaking teenagers aged 16 to 22.
According to well-known cybersecurity journalist Brian Krebs, members of Scattered Spider are also linked to the relatively new criminal phenomenon known as Com (sometimes The Comm or The Com, short for Community).
Initially, the group was involved in financial fraud, but its members then moved on to more sophisticated attacks using social engineering aimed at stealing cryptocurrency from individuals. They also began targeting large companies with the goal of extortion.
This year, following a series of attacks on British retailers, the perpetrators shifted their focus to American insurance companies, and then to aviation and transportation organizations. It is specifically suspected that Scattered Spider is behind the recent breach of the Australian airline Qantas. In June 2025, similar breaches also affected the Canadian airline WestJet and the American Hawaiian Airlines.
It is believed that the arrests in the UK may halt the ongoing Scattered Spider campaigns, as the remaining members of the group may now pause and remain inactive for some time.
Meanwhile, Brian Krebs reported that among those arrested are Owen David Flowers (also known as bo764, Holy, and Nazi) and Thalha Jubair (also known as Earth2Star and Operator).
According to Krebs, Jubair was one of the key members of the LAPSUS$ group, another offshoot of The Com. The journalist also writes that until recently, Jubair served as the administrator of the Doxbin website, where anyone can post personal information about their victim or find someone else’s personal data among information on hundreds of thousands of people who have already been subjected to doxing.