Hoplon InfoSec
04 May, 2025
Marks & Spencer, one of the UK’s most iconic retail giants, has recently been the target of a devastating cyberattack. What began as mysterious glitches in its online systems quickly escalated into widespread service disruptions, halting online orders, affecting staff recruitment portals, and leaving store shelves understocked. Customers encountered issues with payments and click-and-collect services, while backend operations were brought to a standstill.
As investigators raced to trace the source of the breach, one name began surfacing in expert circles and cybersecurity briefings: Scattered Spider, a digital hacking group that has been gaining notoriety worldwide.
Scattered Spider, known under various aliases such as UNC3944, Octo Tempest, and Muddled Libra, isn’t your average cybercrime group. It’s a loose-knit yet highly coordinated collective of hackers, many believed to be English-speaking, Gen Z individuals, operating primarily from the UK and the US.
This is a rare characteristic in the cybercrime world, where most high-profile threat groups are based in jurisdictions like Russia, China, or North Korea. Scattered Spider’s proximity to Western law enforcement hasn’t made them more cautious but bolder and more adaptive.
Their organizational model is also unique: rather than working under a strict hierarchy, the group operates more like a digital collective. This decentralized structure enables them to stay agile. Despite several arrests in 2023 and 2024, the group reemerged quickly under new handles, tactics, and affiliations.
Unlike traditional cybercriminals who rely heavily on sophisticated malware or network vulnerabilities, Scattered Spider specializes in social engineering—manipulating humans rather than machines. Their attacks often begin with something deceptively simple: a phone call, a fake login page, or a phishing email.
SIM Swapping: Convincing a mobile carrier to transfer a target’s phone number to a new SIM card. This gives them control of SMS-based two-factor authentication.
They use everyday tools against unsuspecting employees and are very good at it.
Scattered Spider gained mainstream attention in September 2023 when they orchestrated an attack on MGM Resorts, one of the world’s largest casino and hotel operators. That single breach cost MGM over $100 million in losses, not including reputational damage and lawsuits.
In the same month, Caesars Entertainment was also hit, and it’s believed they paid the hackers $15 million in ransom to prevent further damage.
Fast forward to 2025, and their fingerprints appear on the Marks & Spencer cyberattack, which has caused online sales to stall, job applications to freeze, and stock prices to drop by over £700 million.
Reports suggest they used ransomware from a toolkit called DragonForce, locking key business systems and demanding payment for decryption. Although M&S hasn’t confirmed details publicly, cybersecurity analysts suspect that Scattered Spider, or one of its affiliates, is behind the breach.
Shortly after the M&S attack, Harrods and Co-op also confirmed experiencing cybersecurity incidents. While it’s not yet verified whether these attacks are connected, the timing and nature of the disruptions point to a coordinated campaign or a copycat trend inspired by Scattered Spider’s tactics.
The retail sector is especially vulnerable due to:
Experts fear this could start a broader wave of ransomware and phishing attacks targeting retail, e-commerce, and logistics firms.
Scattered Spider belongs to a new era of cybercriminals—young, native English speakers, deeply familiar with the corporate tools and platforms they exploit.
This fluency gives them a strategic advantage. They can convincingly impersonate IT staff on calls, craft near-perfect phishing messages, and navigate corporate systems like insiders. Many are reportedly active on Telegram, Reddit, or Discord, where they recruit, collaborate, and share stolen data.
Cybersecurity firm CrowdStrike has identified links between Scattered Spider and “the Comm,” a broader cybercrime community with ties to other infamous groups such as:
By working across these networks, Scattered Spider can scale their attacks, renting out malware, sharing stolen credentials, or selling access to breached systems.
Retail companies often operate on tight margins and depend heavily on real-time IT systems to manage inventory, logistics, customer service, and e-commerce. This dependence makes them highly susceptible to disruption and, therefore, more likely to pay ransoms quickly.
Here’s why Scattered Spider and similar groups are drawn to this sector:
The full damage from the M&S attack is still being assessed, but early signs indicate:
While customer data leaks have not been confirmed yet, experts warn that the aftermath of such attacks often unfolds over weeks or months.
The attack on Marks & Spencer by the group known as Scattered Spider marks a turning point in the cybersecurity landscape. This is not a shadowy group operating from a bunker in a foreign country—it’s a digital native collective, fluent in corporate jargon and social manipulation, capable of paralyzing a billion-pound business with a few phone calls and phishing links.
What happened to M&S isn’t just a business story. It’s a warning to companies, employees, and everyday consumers that cybercrime is evolving rapidly.
The next frontier of hacking isn’t just about stealing data. It’s about control, disruption, and forcing modern society to ask one uncomfortable question:
What happens when the systems we trust break?
At Hoplon Infosec, we specialize in helping companies defend against these evolving threats. From endpoint protection and email security to threat modeling and offensive security assessments, our solutions are designed to strengthen your cybersecurity posture from every angle. Don’t wait for a breach to expose your vulnerabilities—partner with Hoplon Infosec to stay ahead of the threat curve.
Share this :