Scattered Spider hits UK retailers, moves to US

Edvis 17th May 2025

0 2 minutes read

Cyber-attacks are being facilitated by individuals based in the United Kingdom who are part of the Scattered Spider hacking network. This disruption, which has affected British retailers, is now spreading to the United States.

The Scattered Spider group has been linked to cyber-attacks targeting UK retailers, including Marks & Spencer, the Co-op, and Harrods. Retailers across the Atlantic are now also facing attacks.

The attackers tend to concentrate on a particular type of business and location for a period before moving to another. Currently, their focus is on retail companies, having started in the UK and now shifting to US organizations. Individuals associated with Scattered Spider in the UK are involved in and helping with these breaches.

Marks & Spencer has informed its employees that some personal information, reportedly including email addresses and full names, may have been taken in a recent cyber-attack. Earlier, the retailer revealed that personal details belonging to thousands of customers were compromised.

The targeting of retailers in the UK and the methods used by Scattered Spider have led authorities to warn companies about specific tactics. Businesses have been advised to examine how their IT help desks handle staff password resets.

A tactic associated with Scattered Spider involves making phone calls to IT help desks, pretending to be legitimate employees or contractors to gain access to company systems. The attackers are observed making these calls, impersonating employees, and persuading staff to reset passwords. This task is sometimes delegated to other members of the network, often younger individuals active on online platforms, who are paid for this work.

The group is notable for being composed of native English speakers from countries like the UK, US, and Canada, unlike many other ransomware groups which typically originate from Russia or former Soviet countries. Individuals linked to the group have been heard on numerous calls attempting to extort, persuade, or harass company personnel.

Separately, French brand Dior reported that an unauthorized party had accessed some customer data, though no payment information was compromised. The full extent and the identity of the attacker are not yet clear.

Cyber-attacks targeting US retailers with ransomware and extortion are suspected to be connected to the Scattered Spider network. This network has a history of focusing its efforts on one business sector at a time, and it is anticipated that they will continue to target the retail sector in the near future. US retailers are advised to be aware.