UK Authorities Arrest Four in Connection with Cyberattacks on Major Retailers

The United Kingdom’s National Crime Agency (NCA) has arrested four individuals suspected of involvement in recent cyberattacks that targeted major retail brands across the UK, including Marks & Spencer, Co-op, and Harrods. The arrests mark a significant development in ongoing efforts to dismantle cybercriminal networks affecting both British and international businesses.

Who Was Arrested?

On the morning of July 10, authorities carried out coordinated raids at residential addresses in London and the West Midlands, arresting four suspects:

• A 20-year-old woman
• Two 19-year-old men
• One 17-year-old male

All are currently in custody and being questioned in connection with hacking, blackmail, money laundering, and participation in an organized crime group. Law enforcement seized multiple electronic devices as part of the investigation.

The Cybercrime Groups Involved

The suspects are believed to be linked to DragonForce, a ransomware group that recently claimed responsibility for cyberattacks on several UK-based retailers. Security researchers have tied DragonForce’s activities to a broader, more notorious cybercrime collective known as Scattered Spider—a group well known for its aggressive social engineering tactics and high-profile attacks across the UK and the United States.

Scattered Spider has previously been linked to incidents involving data theft, extortion, and ransomware deployment in the retail, telecommunications, and financial sectors.

A Global Threat with Local Impact

Law enforcement efforts to disrupt this group have intensified globally:

• In late 2024, U.S. authorities charged and arrested several individuals associated with Scattered Spider.
• One of the accused has since pleaded guilty, although the group’s activity has persisted.
• Just last month, a 22-year-old UK national was arrested in Spain for allegedly playing a leadership role in the group.

Despite these actions, the group continues to pose a significant threat to enterprise security worldwide.

Industry Perspective: A Critical Window for Defense

According to Charles Carmakal, Chief Technology Officer at Google Cloud’s Mandiant Consulting, the latest arrests are an important step forward:

“The arrests of alleged Scattered Spider members is a significant win in the ongoing fight against this collective. Their aggressive social engineering tactics and relentless pursuit of access have proven particularly challenging for many defenders,” said Carmakal.

“This action by law enforcement underscores the critical importance of international collaboration in combating cybercrime. Previous arrests have impacted their operations, causing a significant lull in activity. This is a critical window for organizations to fortify their defenses.”

What This Means for Your Business

While arrests may temporarily disrupt threat actor operations, businesses cannot afford to become complacent. Cybercriminal groups like Scattered Spider operate in distributed, adaptable cells, often evolving tactics quickly in response to law enforcement pressure.

Key recommendations for organisations include:

• Conducting employee training to prevent social engineering attacks
• Strengthening multi-factor authentication and access controls
• Regularly auditing and updating endpoint and network protections
• Monitoring for unusual activity across remote access and identity systems

At Cyber Safe Business, we work closely with clients to help them assess risk, improve cyber resilience, and stay ahead of emerging threats like Scattered Spider.