Scattered Spider compromises Marks & Spencer, Co-op, Harrods
Native-English-speaking financially-motivated crew, assessed to include members in the United States, United Kingdom, and Canada. Tradecraft centers on SIM-swap and voice-phishing of IT helpdesks to…
Summary
Scattered Spider operators executed coordinated intrusions against three of the UK's largest retailers in April 2025, ultimately deploying DragonForce ransomware against Marks & Spencer on 24 April. M&S subsequently disclosed an estimated £300M revenue impact (~$400M) — the costliest UK retail cyberattack on public record — with the Co-op disclosing £206M (~$277M). Initial access at M&S used compromised credentials from outsourced IT provider Tata Consultancy Services (TCS), a textbook Scattered Spider social-engineering pivot through a managed-services supplier. Active Directory contents were stolen during months of dwell time before encryption. UK NCA arrested four individuals, three of them teenagers, in July 2025.