UK Cyberattack Arrests: Four Suspects Detained Over M&S, Co-op, Harrods Breaches

In a major breakthrough, authorities made four UK cyberattack arrests tied to recent attacks on high-profile retailers.
The National Crime Agency (NCA) detained four individuals suspected of targeting Marks & Spencer, Co-op, and Harrods.

The Arrests: Who Was Caught?

The suspects include two 19-year-old males, one 17-year-old male, and a 20-year-old female.
Police arrested them earlier today during coordinated raids in London and the West Midlands.
The group includes both English and Latvian nationals.

Investigators seized electronic devices to gather evidence and identify any accomplices.
The four now face charges related to cybercrime, including blackmail, money laundering, and organized crime offenses.

The Cyberattacks: What Happened?

The UK cyberattack arrests follow a series of attacks between late April and early May 2025.
The threat actors targeted Marks & Spencer, Co-op, and Harrods, causing significant business disruption.

Marks & Spencer was hit the hardest, forced to suspend online orders after the attack.
Hackers stole customer data, leading to a complete password reset for all users.
The financial impact was severe, with losses estimated at over £300 million ($402 million).

Co-op also came under attack but managed to shut down its systems before damage occurred.
The attackers attempted to deploy DragonForce ransomware in both incidents but succeeded only at M&S.

Links to Scattered Spider Group

The cyberattacks were linked to the notorious Scattered Spider hacking group.
This group is known for targeting major companies including MGM, Twilio, Reddit, and DoorDash.
Their tactics often involve social engineering and SIM swapping to gain access to systems.

While the NCA has not officially named Scattered Spider, the attackers’ profile matches previous cases.
Suspects’ age, methods, and nationality align with past Scattered Spider incidents across the UK, US, and Spain.

Ongoing Investigations

NCA Deputy Director Paul Foster confirmed the arrests mark significant progress.
“Specialist cybercrime investigators continue working at pace,” Foster said in a public statement.
The investigation remains a top priority for both UK and international law enforcement.

Although four suspects were arrested, authorities believe more members remain active.
The investigation will continue to track down additional culprits involved in the attacks.

The Broader Impact

The UK cyberattack arrests could slow down Scattered Spider’s operations temporarily.
Remaining members may pause activity to avoid detection and arrests.

However, experts warn that full disruption of the group is unlikely.
Scattered Spider is part of a broader collective of hackers who use online platforms like Discord and Telegram.
These communities remain active, sharing tools and coordinating attacks globally.

After targeting retailers, Scattered Spider reportedly shifted focus to insurance, aviation, and transport firms.
The group is also suspected in the recent Qantas breach, which affected 5.7 million customers.
Qantas confirmed the breach exposed sensitive customer information, further highlighting the group’s reach.

What’s Next?

The recent UK cyberattack arrests mark an important step in disrupting cybercrime in the retail sector.
Law enforcement will continue working with international partners to pursue other members.
Retailers, airlines, and other industries must stay vigilant and strengthen cybersecurity defenses.

This case underscores the evolving threat posed by hacker collectives.
It also shows that swift law enforcement action can make a difference in tackling cybercrime.