News Brief: Hafnium, Scattered Spider Hackers Arrested
This week, international cybersecurity law enforcement agencies took significant action against notorious cybercriminals and state-sponsored threat actors. Italian authorities detained an individual for allegedly working as a contractor for China's Ministry of State Security, while British police arrested four members of the Scattered Spider hacking group in connection with cyberattacks against major retailers.
Scattered Spider Suspects Arrested in UK
U.K.'s National Crime Agency (NCA) arrested four individuals - two 19-year-old males, one 17-year-old male, and a 20-year-old female - in connection with cyberattacks against retailers Marks & Spencer, Co-op, and Harrods. The suspects were apprehended in West Midlands and London on charges including Computer Misuse Act offenses, blackmail, and money laundering.
Security experts believe the suspects are linked to Scattered Spider, the cybercrime collective previously responsible for attacks on MGM Resorts and Caesars Entertainment. This latest development marks a significant blow to the group's operations and highlights the growing threat posed by state-sponsored hacking groups.
Chinese Hacker Arrested for COVID-19 Research Theft and Exchange Attacks
Italian authorities and the FBI arrested Xu Zewei, a 33-year-old Chinese national allegedly involved in the Hafnium hacking group's operations. Xu was charged with stealing COVID-19 research from American scientists and exploiting Microsoft Exchange Server vulnerabilities in 2020 and 2021, actions prosecutors claimed were directed by China's Ministry of State Security.
Arrested in Milan on July 3, Xu allegedly worked at Shanghai Powerock Network Co. Ltd., which prosecutors described as an "enabling" company for state-sponsored hacking. A second suspect, Zhang Yu, remains at large. This latest arrest is a significant development in the ongoing efforts to combat China's state-sponsored hacking activities.
SatanLock Ransomware Group Announces Shutdown
SatanLock, a ransomware group that emerged in April, announced its shutdown on Telegram and its Dark Web leak site. The group removed all victim listings, leaving only a message that said, "SatanLock project will be shut down -- The files will all be leaked today." Despite its brief existence, SatanLock compromised 67 organizations within weeks of appearing.
Hunters International Shuts Down and Transitions to Data Theft Operation
Hunters International, a ransomware group operating since 2023 as a Hive ransomware rebrand, announced its shutdown and said it will release free decryptors for all victims. After targeting over 300 organizations using SharpRhino malware for initial access, the group has removed victim names from its leak site and posted a goodwill message offering free decryption software.
Research indicated the closure is part of a planned transition, with the group rebranding itself as "World Leaks," an extortion-only operation that began in early 2025. This latest development highlights the evolving threat landscape and the need for continued vigilance among organizations and individuals.
Editor's Note
An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing. Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.