It is possible that the infamous Scattered Spider hacking group was behind the ongoing cyber attacks on Marks and Spencer, which have crippled the retailer’s systems and left its ecommerce operations in chaos.
The teenage hacking collective Scattered Spider, which breached multiple organizations in 2023 with a series social engineering attacks, has been linked to an ongoing cyber incident at Marks and Spencer.
According to Bleeping Computer,which was the first to report this new development, citing unnamed investigators, Scattered Spider has been believed to have breached M&S back in February 2025.
According to the Scattered Spider hacker, they were able get their hands on a NTDS.dit database file containing hashed passwords for M&S Windows account. The gang then used these passwords to infiltrate M&S Windows domain.
On Thursday, 24 April, M&S reported the incident. Three days later, the attackers allegedly installed a white-label version of ransomware named DragonForce onto VMware ESXi servers. M&S declined to comment on these reports. Their veracity can’t be confirmed at this time.
M&S’s contactless payment system and click-and collect service were disrupted, which led to the first report of the incident. It was forced to suspend all online shopping and, over a week after, its core ecommerce infrastructure is still offline. However, the website can be accessed as normal. Its brick-and-mortar shops are also open. It has also informed agency warehouse staff. Stay at home instead of traveling to its clothing and furniture depot.
M&S was founded in Leeds 141 years ago as a market stand by a Polish-born immigrant named Michael Marks. The cyber attack has caused the company to lose hundreds of millions of dollars and sales have been lost across the country.
M&S insisted that its customers did not need to take any action at the time this article was written. It is unclear how long this will continue.
This is not your average gang.
Scattered Spider stands out among threat actors because it consists largely of English-speaking individuals, although they have worked with Russian ransomware groups before. It functions more like a loosely-connected network than an organised crew. Scattered Spider continues to operate despite the arrest and indictment of some of its members, including a British citizen named Tyler Buchanan who was indicted in November 2024 by the US Department of Justice.
Robert McArdle is the director of forward threat analysis at Trend Micro. He said: “[They] gather together for individual attacks, and resembles the structure of Hacktivists groups like past Anonymous activity. Scattered Spider regularly targets retail providers, so targeting M&S is ‘on brand’.
Scattered Spider is active in different incarnations from 2022 to today, but is hard to categorise because their organisation is so loose. Scattered Spider, a small subset of the larger community, is responsible for many attacks by English-speaking actors. Anglophone cyber criminals are a new breed of cyber criminals. They lack the organised crime structure that Russian ransomware gangs have, but they make up for it in brazenness and aggression.
A Scattered Spider hacker allegedly threatened a victim’s family in one attack documented by Microsoft. “If we don’t receive your [redacted] log in the next 20 mins, [sic] will send a shooter to you house,” they said. “Your wife is going to get shot if you don’t [sic] [redacted]fold it.”
By Alexander Culafi.
Brits charged in US for Scattered Spider cyberattacks
by: Alex Scroxton.
