Four suspects detained
The UK’s National Crime Agency (NCA) has arrested four people suspected of carrying out a series of crippling cyber attacks on major British retailers, including Marks & Spencer, Co-op, and Harrods.
The arrests involving three men and one woman, aged between 17 and 20, took place at residential addresses in the West Midlands and London.
The attacks, which occurred in April 2025, triggered major disruptions, causing significant product shortages and losses running into hundreds of millions of pounds for the affected retailers.
The NCA’s head of cyber crime, Paul Foster, called the arrests a “significant step” but confirmed that investigations are ongoing in collaboration with international partners.
Scattered Spider under scrutiny
Although the NCA has not officially confirmed the group responsible, sources close to the investigation believe the suspects are linked to the notorious hacking collective known as Scattered Spider.
This loosely organised cyber crime network, made up primarily of young, English-speaking hackers, specialises in extortion through data theft. Their modus operandi often involves infiltrating IT support systems in large companies.
Security experts have previously connected Scattered Spider to several prominent cyber breaches.
The group is believed to use ransomware software sourced from other criminal syndicates, including the Russian-speaking DragonForce – another group named in this case.
Retailers hit hard
Marks & Spencer and the Co-op were among the most visibly affected by the April attacks. M&S experienced stock shortages across its stores and turned to the US FBI for support.
Chair Archie Norman recently described the incident as “traumatic” in a parliamentary appearance, noting that the company faced a long road to rebuild its systems.
Norman also confirmed that M&S believed DragonForce was behind the attack, with tools supplied to Scattered Spider, further highlighting the global nature of the cyber criminal ecosystem.
Corporate response and public support
The companies targeted welcomed the arrests. M&S expressed its gratitude to the NCA for its “diligent work,” while the Co-op issued a statement calling hacking “not a victimless crime,” emphasising the impact on its members and operations.
The Harrods department store has yet to comment publicly but is understood to have also suffered significant operational disruption.
Investigation far from over
Despite the breakthrough arrests, the NCA made it clear that its operation is ongoing.
“Our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice,” said Foster.
Cyber crime continues to evolve rapidly, and UK authorities are increasingly reliant on international cooperation to tackle global criminal networks.
The April attacks underscore the growing threat posed by ransomware gangs and the urgent need for robust corporate cyber defences.
