The UK’s National Crime Agency (NCA) has arrested four individuals in connection with a string of cyberattacks that targeted major British retailers Marks & Spencer (M&S), Co-op, and Harrods earlier this year.
The arrests announced by NCA mark the first major breakthrough in a high-priority investigation into what law enforcement believes is an organized campaign of extortion, ransomware deployment, and data theft.
Two 19-year-old males, a 17-year-old male, and a 20-year-old female were taken into custody this morning during coordinated raids in London and the West Midlands. The suspects were arrested on suspicion of Computer Misuse Act offences, blackmail, money laundering, and involvement in the activities of an organized crime group. Officers from the NCA’s National Cyber Crime Unit seized multiple electronic devices for digital forensic analysis; all four remain in custody for questioning.
The arrests stem from cyberattacks that took place in April 2025, beginning with the ransomware intrusion at Marks & Spencer. That attack was attributed to the DragonForce ransomware group, which is believed to operate as part of or in collaboration with the Scattered Spider threat actor, a loosely affiliated group of English-speaking cybercriminals known for sophisticated social engineering tactics.
The breach forced M&S to suspend online orders, caused widespread payment disruptions across its 500-store network, and led to the theft of personal customer data, including names, contact details, and partial payment information. The financial fallout has been steep: M&S projected up to £300 million in losses, with operational recovery expected to stretch into the second half of the year.
Co-op confirmed a similar intrusion days later, reporting unauthorized access to its member database. Although no payment data was exposed, names, dates of birth, phone numbers, and email addresses were exfiltrated. Internal service disruptions and extortion attempts followed, with attackers reportedly sending ransom messages via Microsoft Teams. Harrods also experienced a related attack attempt, though it did not publicly confirm the extent of compromise.
The NCSC issued an urgent advisory in early May warning of a campaign that showed hallmarks of both Scattered Spider and the White-Label Cartel, an ecosystem of ransomware operators who distribute toolkits and infrastructure to affiliates. Investigators believe these groups exploited weaknesses in helpdesk procedures to bypass multi-factor authentication, “walking through the front door” by impersonating employees.
In a statement, Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit, said: “These arrests are a significant step in a complex investigation that remains a top priority for the Agency. We’re grateful for the support of the victim organizations and our domestic and international partners as we work to identify and bring all those responsible to justice.”
The NCA’s operation was supported by the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit. Officials emphasized that today’s developments do not mark the end of the investigation. On the contrary, they may uncover additional suspects operating abroad or online under aliases.
Leave a Reply