British authorities have arrested four individuals aged between 17 and 20 in connection with a spate of cyberattacks targeting prominent UK retailers Marks & Spencer (M&S), the Co‑op, and Harrods earlier this year.
The arrests form part of a broader investigation led by the National Crime Agency (NCA) into what is described as a substantial organised ransomware campaign.
Go deeper with GlobalData
Investigation and arrests
Two 19‑year‑olds, a 17‑year‑old male and a 20‑year‑old female were detained this morning at their homes in London, the West Midlands and Staffordshire on suspicion of offences including computer misuse under the Computer Misuse Act, blackmail, money laundering and participation in an organised crime group.
Authorities seized electronic devices for forensic examination.
The NCA’s National Cyber Crime Unit, supported by regional organised crime units, confirmed this marks a key milestone in an investigation deemed one of the agency’s highest priorities.
Cyberattack timeline and impact
The attacks occurred in April 2025, when ransomware was deployed across retail systems.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataM&S suffered a six‑week shutdown of its online clothing and homeware services, resulting in severe disruption to click‑and‑collect and food deliveries, and an estimated £300 million hit to operating profits.
Co‑op and Harrods also faced disruptions, with the Co‑op temporarily disabling key systems and Harrods shutting down parts of its IT infrastructure.
Investigators later classified the breaches at M&S and Co‑op as a “single combined cyber event,” attributing damages ranging from £270 million to £440 million.
Suspected methods and cybercrime links
The cyber intrusions are believed to have begun via social engineering and impersonation of third‑party service providers.
The hacking collective “Scattered Spider” has been linked to the attacks, allegedly exploiting human vulnerabilities to gain initial access before deploying ransomware from the “DragonForce” operation.
The modus operandi reportedly included phishing calls, SIM swapping and email‑based social engineering to bypass internal defences.
Next steps and sector warning
All four suspects remain in custody while NCA investigators continue digital forensic analysis.
Deputy Director Paul Foster said the arrests are a significant step, but emphasised that work with domestic and international partners is ongoing to hold all responsible parties to account.
He underscored the importance of incident reporting and cooperation by affected organisations to combat cyber threats.
Retailers face mounting pressure to strengthen defences, with calls for mandatory disclosure of material cyber incidents following M&S chairman Archie Norman’s warnings that other significant hacks went unreported.
The NCA advised businesses to use the government’s Cyber Incident Signposting Site to report any cyber incident promptly.
While the investigation moves forward, the case highlights the rising risk of ransomware in retail supply chains and the critical role of policing, cybersecurity investment and mandatory incident transparency in protecting businesses and consumers.
