Scattered Spider on the Hook for M&S Cyber Attack

In a shocking development, Bleeping Computer has revealed that Scattered Spider, a teenage hacking collective, is behind the ongoing cyber attack at Marks and Spencer (M&S). According to reports from unnamed sources close to the investigation, Scattered Spider breached M&S in February 2025 through a series of social engineering attacks.

Scattered Spider, which has been linked to multiple organizations in 2023, gained access to an NTDS.dit file – an Active Directory Services database file containing password hashes for M&S Windows accounts. This allowed the hackers to obtain the passwords and use them to infiltrate M&S' Windows domain.

On April 24, three days after M&S first disclosed an incident, Scattered Spider allegedly deployed a white-label ransomware called DragonForce on VMware ESXi hosts belonging to M&S. The attack has caused significant disruption to the retailer's contactless payment and click-and-collect service, forcing it to suspend online shopping entirely.

M&S has declined to comment on the accuracy of these reports, leaving their veracity uncertain at this stage. However, the incident has already resulted in hundreds of millions of pounds of lost value for the company, with sales mounting up across the country.

The Rise of Scattered Spider

Scattered Spider is an unusual collective in that it largely comprises English-speakers and functions more as a loosely connected network rather than an organized crew. This has allowed them to evade law enforcement, despite some members being arrested and charged, including British national Tyler Buchanan, who was indicted by the US Department of Justice (DoJ) in November 2024.

Robert McArdle, director of forward threat research at Trend Micro, noted that Scattered Spider "assemble together for individual attacks and resemble the structure of Hacktivist groups like past activity of Anonymous." McArdle added that targeting M&S was "on-brand" for the group, given their history of targeting retail providers.

"Scattered Spider has been active in various incarnations since 2022, but is very hard to categorize as their organization is so loose," said McArdle. Many attacks coming from English-speaking actors can be tied back to the wider community of which Scattered Spider is just a small, ill-defined subset."

The Growing Threat of Anglophone Cyber Criminals

McArdle also highlighted a larger issue – the growing threat emanating from Anglophone cyber criminals who lack the businesslike organized crime structures favored by old-school Russian ransomware gangs. These cyber criminals make up for in aggression and brazenness.

"If we don't get your [redacted] login in the next 20 minutes, were sending a shooter to your house," one Scattered Spider hacker threatened a victim's family in an attack documented by Microsoft. "Ur wife is gonna get shot if u don't [redacted]. Fold it [redacted]." This kind of behavior has raised concerns about the impact of cybercrime on individuals and society.

As the situation at M&S continues to unfold, one thing is clear – the threat of cyber attacks will only continue to grow in the coming years. It is essential that organizations like M&S take proactive measures to protect themselves against these threats and prepare for the worst-case scenario.