In April 2025, large retailers were all targeted by cyber attacks that caused disruption across their services. Although attribution is still being confirmed, indicators strongly link these attacks to Scattered Spider, a group known for aggressive, human-centric tactics and high-profile breaches.

This post is not an incident breakdown for each retailer. Instead, it uses these events as a real-world case study to examine Scattered Spider - a modern cyber threat actor that doesn’t rely on technical exploits, but on manipulating people – as their operations highlight the urgent need for security strategies that go beyond traditional defences and training.

At the end of April 2025, three major UK retailers were hit by various cyber attacks. Although not officially attributed, these attacks have been linked to a hacking collective known as “Scattered Spider” and use of the “DragonForce” ransomware.

The attack on M&S (a retailer known for selling food, clothing, and home goods in the UK) started covertly, with initial access gained in February 2025 being used to exfiltrate their 

 Active Directory Database file (a file containing employee password hashes). In late April the attackers then deployed the 

 ransomware on M&S servers, encrypting critical systems and resulting in the M&S website being unable to take online orders. This attack cost the company an estimated 

, removing an estimated £500–700M off its market value and preventing the company from 

The Co-op Group, which operates thousands of grocery stores and other businesses in the UK, also discovered a similar attack in late April. A social engineering attack reportedly allowed the threat actors to 

 before breaching the network. This resulted in attackers gaining access to the 

 which includes information such as membership names and contact details. In response, the Co-op pre-emptively 

 to contain the threat. This included partially disabling internet access, urging employees to keep their cameras on during meetings, not recording or transcribing calls, and asking staff to verify that all meeting participants were authorised Co-op staff.

Around the same time at the M&S and Co-Op attacks, Harrods (a UK department store) revealed that it detected an 

. In response Harrods temporarily restricted internet access and reportedly prevented any major disruption suggesting that the attacker was blocked before they could do serious damage.

“Scattered Spider” is a name given to a loose collection of English-speaking hackers with members affiliated with the cybercriminal collective “The Com”. This group – also tracked as “UNC3944” (Google) and “Octo Tempest” (Microsoft) – is known for its focus on exploiting people rather than technologies using aggressive social engineering tactics and has been linked to other high-profile breaches such as the 2024 attacks on 

In November 2024, the US Department of Justice gave an insight into Scattered Spider’s personnel when it charged 

 over the targeting of various unnamed American companies with “phishing” text messages. This revealed that the group appeared to consist of predominantly young native-English speakers, operating out of the UK and US – in contrast to many other ransomware groups that predominantly operate out of Eastern Europe, Asia, and Russia.

“DragonForce” is the name given to a pro-Palestine hacktivist group allegedly based in Malaysia operating out of the Asia-Pacific region and the US. In recent times, it is believed that the group has expanded into ransomware operations - 

 of a ransomware-as-a-service (RaaS) set of tools that is known to be used by Scattered Spider.

Tactics, Techniques, and Procedures (TTPs)

Although direct attribution has not been confirmed, what ties Scattered Spider operations together are the tactics used. One of their attributes is that they specialise in targeting the human element of organisations, manipulating and deceiving people rather than exploiting technology. This often results in attacks heavily involving a mix of phishing, phone-based deception, and abuse of multi-factor authentication to infiltrate organisations.

Attack Waves – Scattered Spider operations typically occur in 

 against prominent brands in specific industries in order to generate media attention before shifting to other targets.

Explore and understand these threats more using the 

These incidents all have one thing in common: the exploitation of humans over tech. Whether it’s an employee interacting with a fake login page or a member of the help-desk team being manipulated over a phone call or text, the attackers succeeded by manipulating people. No 0-day exploit or overly technical hack, just the abuse of human behaviour to get in.

These types of threat actors are both concerning and fascinating. Concerning, because every organisation relies on humans who can make mistakes. Fascinating, because it means improving security isn’t just about buying the latest tech or training. It’s about protecting your people.

These attacks re-emphasise the importance of human risk management in modern cybersecurity. Groups like Scattered Spider show that even the most robust technical defences can be bypassed through social engineering and the exploitation of human behaviour, resulting in financial losses, operational disruption, and reputational damage.

However, by developing or onboarding proactive, human-centric security strategies, organisations can reduce their likelihood of falling victim to these attacks in the future. This means going beyond awareness training and providing our users with tools that help them recognise, prevent, and respond to threats in real time.

Perhaps one day we can stop viewing employees as the “weakest link” in cybersecurity. With the right support and risk management technologies, people might just become one of our strongest lines of defence.

bleepingcomputer.com - Marks & Spencer breach linked to Scattered Spider

https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack

independent.co.uk - M&S hackers tricked IT help desk workers to access company systems, says report

https://www.independent.co.uk/news/business/m-s-coop-hack-scattered-spider-it-worker-b2745218.html

independent.co.uk - Wave of retailer hacking incidents ‘a wake-up call’, minister to say

https://www.independent.co.uk/news/uk/politics/pat-mcfadden-government-marks-spencer-spencer-manchester-b2744030.html

thehackernews.com – RansomHub Went Dark April 1; DragonForce Claimed Control

https://thehackernews.com/2025/04/ransomhub-went-dark-april-1-affiliates.html

sentinelone.com - DragonForce Ransomware Gang

https://www.sentinelone.com/blog/dragonforce-ransomware-gang-from-hacktivists-to-high-street-extortionists/

https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations

sans.org - Defending Against SCATTERED SPIDER and The Com

https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/

infosecurity-magazine.com - Inside DragonForce

https://www.infosecurity-magazine.com/news/dragonforce-goup-ms-coop-harrods/

theguardian.com - M&S cyber-attack linked to hacking group Scattered Spider

https://www.theguardian.com/business/2025/apr/29/m-and-s-cyber-attack-linked-to-hacking-group-scattered-spider

bbc.co.uk - Co-op cyber attack affects customer data, firm admits

theguardian.com - How ‘native English’ Scattered Spider group linked to M&S attack operate

https://www.theguardian.com/technology/2025/may/01/how-native-english-scattered-spider-group-linked-to-ms-attack-operate

therecord.media - CISA, FBI warn of Scattered Spider expertise with social engineering

https://therecord.media/cisa-fbi-warn-of-scattered-spider-cybercrime-group

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

In April 2025, large retailers were targeted by cyber attacks that caused disruption across their services. Although attribution is still being confirmed, indicators strongly link these attacks to Scattered Spider, a group known for aggressive, human-centric tactics and high-profile breaches.

A Case Study in Human-Centric Cyber Threats

, Lead Cyber Security Researcher at CultureAI

By Oliver Simonnet, Lead Cyber Security Researcher at CultureAI

Recommended for you

You're Not My Supervisor! Researching My Own New Starter Scam

AI Adoption Is Outpacing Governance: Conversations on Managing AI Risk

Empowering Safe GenAI Adoption at a 3,600-Employee Fintech