Scattered Spider: The Group Possibly Behind the M&S Hack

Marks & Spencer, one of the UK’s most iconic retail giants, has recently been the target of a devastating cyberattack. What began as mysterious glitches in its online systems quickly escalated into widespread service disruptions, halting online orders, affecting staff recruitment portals, and leaving store shelves understocked. Customers encountered issues with payments and click-and-collect services, while backend operations were brought to a standstill.

As investigators raced to trace the source of the breach, one name began surfacing in expert circles and cybersecurity briefings: Scattered Spider, a digital hacking group that has been gaining notoriety worldwide.

Who Are Scattered Spider?

Scattered Spider, known under various aliases such as UNC3944, Octo Tempest, and Muddled Libra, isn’t your average cybercrime group. It’s a loose-knit yet highly coordinated collective of hackers, many believed to be English-speaking, Gen Z individuals, operating primarily from the UK and the US.

This is a rare characteristic in the cybercrime world, where most high-profile threat groups are based in jurisdictions like Russia, China, or North Korea. Scattered Spider’s proximity to Western law enforcement hasn’t made them more cautious but bolder and more adaptive.

Their organizational model is also unique: rather than working under a strict hierarchy, the group operates more like a digital collective. This decentralized structure enables them to stay agile. Despite several arrests in 2023 and 2024, the group reemerged quickly under new handles, tactics, and affiliations.

What Makes Them So Effective?

Unlike traditional cybercriminals who rely heavily on sophisticated malware or network vulnerabilities, Scattered Spider specializes in social engineering—manipulating humans rather than machines. Their attacks often begin with something deceptively simple: a phone call, a fake login page, or a phishing email.

Here are some of their key tactics:

SIM Swapping: Convincing a mobile carrier to transfer a target’s phone number to a new SIM card. This gives them control of SMS-based two-factor authentication.

• Phishing and MFA Fatigue: Sending fake login pages or bombarding targets with multi-factor authentication requests until they approve access.
• Impersonation: Posing as IT support staff in phone calls, chats, or internal help desks to gain trust and extract credentials.
• Remote Access Tools (RATs): Once inside, they deploy tools like AnyDesk or ScreenConnect to establish persistent access.

They use everyday tools against unsuspecting employees and are very good at it.

Their Resume: From MGM to M&S

Scattered Spider gained mainstream attention in September 2023 when they orchestrated an attack on MGM Resorts, one of the world’s largest casino and hotel operators. That single breach cost MGM over $100 million in losses, not including reputational damage and lawsuits.

In the same month, Caesars Entertainment was also hit, and it’s believed they paid the hackers $15 million in ransom to prevent further damage.

Fast forward to 2025, and their fingerprints appear on the Marks & Spencer cyberattack, which has caused online sales to stall, job applications to freeze, and stock prices to drop by over £700 million.

Reports suggest they used ransomware from a toolkit called DragonForce, locking key business systems and demanding payment for decryption. Although M&S hasn’t confirmed details publicly, cybersecurity analysts suspect that Scattered Spider, or one of its affiliates, is behind the breach.

Is This an Isolated Incident?

Shortly after the M&S attack, Harrods and Co-op also confirmed experiencing cybersecurity incidents. While it’s not yet verified whether these attacks are connected, the timing and nature of the disruptions point to a coordinated campaign or a copycat trend inspired by Scattered Spider’s tactics.

The retail sector is especially vulnerable due to:

• High transaction volumes
• Numerous third-party suppliers and platforms
• Seasonal demand pressure
• Frequent employee turnover (which weakens institutional knowledge on cybersecurity)

Experts fear this could start a broader wave of ransomware and phishing attacks targeting retail, e-commerce, and logistics firms.

The Bigger Picture: A New Breed of Hacker

Scattered Spider belongs to a new era of cybercriminals—young, native English speakers, deeply familiar with the corporate tools and platforms they exploit.

This fluency gives them a strategic advantage. They can convincingly impersonate IT staff on calls, craft near-perfect phishing messages, and navigate corporate systems like insiders. Many are reportedly active on Telegram, Reddit, or Discord, where they recruit, collaborate, and share stolen data.

Cybersecurity firm CrowdStrike has identified links between Scattered Spider and “the Comm,” a broader cybercrime community with ties to other infamous groups such as:

• BlackCat/ALPHV – a ransomware-as-a-service operator
• LAPSUS$ – known for targeting Okta, Microsoft, and Nvidia
• FIN8 – involved in credit card scraping and malware deployment

By working across these networks, Scattered Spider can scale their attacks, renting out malware, sharing stolen credentials, or selling access to breached systems.

Why Retail Giants Are Easy Targets

Retail companies often operate on tight margins and depend heavily on real-time IT systems to manage inventory, logistics, customer service, and e-commerce. This dependence makes them highly susceptible to disruption and, therefore, more likely to pay ransoms quickly.

Here’s why Scattered Spider and similar groups are drawn to this sector:

• Outdated Systems: Many retailers still run on legacy point-of-sale systems or unpatched ERP software.
• High Employee Turnover: Constant onboarding makes it harder to enforce strict cybersecurity protocols.
• Seasonal Urgency: Retailers can’t afford downtime during key seasons, making them more likely to settle quickly.
• There are many Entry Points: Customer service platforms, e-commerce portals, and third—party vendors all offer potential attack vectors.

Consequences for M&S and Its Customers

The full damage from the M&S attack is still being assessed, but early signs indicate:

• Millions in lost revenue from online sales and delayed deliveries
• Data exposure risks for customers and employees
• Downtime across internal tools, affecting hiring and operations
• Stock market impact, with a significant dip in valuation
• Brand reputation damage, especially if data leaks emerge later

While customer data leaks have not been confirmed yet, experts warn that the aftermath of such attacks often unfolds over weeks or months.

Final Thoughts

The attack on Marks & Spencer by the group known as Scattered Spider marks a turning point in the cybersecurity landscape. This is not a shadowy group operating from a bunker in a foreign country—it’s a digital native collective, fluent in corporate jargon and social manipulation, capable of paralyzing a billion-pound business with a few phone calls and phishing links.

What happened to M&S isn’t just a business story. It’s a warning to companies, employees, and everyday consumers that cybercrime is evolving rapidly.

The next frontier of hacking isn’t just about stealing data. It’s about control, disruption, and forcing modern society to ask one uncomfortable question:

What happens when the systems we trust break?

At Hoplon Infosec, we specialize in helping companies defend against these evolving threats. From endpoint protection and email security to threat modeling and offensive security assessments, our solutions are designed to strengthen your cybersecurity posture from every angle. Don’t wait for a breach to expose your vulnerabilities—partner with Hoplon Infosec to stay ahead of the threat curve.