The UK’s National Crime Agency (NCA) has executed a coordinated operation resulting in the arrest of four individuals suspected of orchestrating devastating cyberattacks against major British retailers. The suspects allegedly targeted industry giants including Marks & Spencer, Co-op, and Harrods, causing millions in damages and compromising sensitive customer data.
Profile of the Arrested Suspects
The operation culminated in the detention of four young individuals: two 19-year-olds, one 17-year-old minor, and a 20-year-old woman. Arrests were conducted across London and the West Midlands, demonstrating the coordinated nature of the investigation. Notably, one suspect holds Latvian citizenship, highlighting the international scope of modern cybercriminal operations.
All suspects face serious charges under the Computer Misuse Act, including blackmail, money laundering, and participation in organized criminal activities. Law enforcement agencies have seized electronic devices for comprehensive digital forensic analysis to identify potential accomplices and uncover the full extent of the criminal network.
Financial Impact: Millions in Retail Losses
The cyberattacks, which occurred between April and May 2025, inflicted substantial financial damage on British retail operations. Marks & Spencer reported losses of $402 million USD, primarily due to forced suspension of online ordering systems and compromised customer databases.
The perpetrators deployed DragonForce ransomware, a relatively new threat that has been active since December 2023. This criminal organization positions itself as a “ransomware cartel” and has recently begun offering white-label services to other hacking groups, significantly expanding the threat landscape for potential victims.
Connection to Scattered Spider Cybercriminal Group
Forensic analysis of the attack methodologies suggests potential connections to the notorious Scattered Spider cybercriminal organization. The hackers employed sophisticated social engineering techniques characteristic of this group, including SIM-swapping attacks and targeted exploitation of VMware ESXi systems.
Scattered Spider, also known by aliases including Starfraud, Octo Tempest, Muddled Libra, and UNC3944, represents one of the most dangerous contemporary hacking collectives. According to Mandiant intelligence data, the group successfully compromised over 100 organizations by fall 2023, primarily targeting entities in the United States and Canada.
Evolution of Criminal Operations
Initially focused on financial fraud, the group has evolved toward more sophisticated corporate attacks. Scattered Spider is linked to “The Community” phenomenon—a youth criminal network whose members transitioned from individual cryptocurrency theft to large-scale corporate breaches.
The group’s most notable operations include attacks on MGM Resorts and Caesars Entertainment casino networks using BlackCat, Qilin, and RansomHub ransomware variants. In 2025, the hackers expanded their geographical reach, targeting Australian airline Qantas, Canadian carrier WestJet, and American-based Hawaiian Airlines.
Identified Suspects: Key Figures in Cybercrime
According to investigative journalist Brian Krebs, the arrested individuals include Owen David Flowers (known by aliases bo764, Holy, and Nazi) and Talha Jubaer (Earth2Star, Operator). Jubaer previously served as a key member of the LAPSUS$ group and administrator of Doxbin—a platform for publishing compromised personal information.
These arrests may significantly impact Scattered Spider’s operational capabilities, as remaining group members will likely temporarily suspend activities to reassess risks and reorganize their command structure.
The successful operation by UK law enforcement demonstrates the effectiveness of international cooperation in combating cybercrime. However, modern hacking groups possess high adaptability and rapid reorganization capabilities. Organizations must strengthen cybersecurity measures, particularly in social engineering defense and regular employee training to recognize suspicious activities. The arrests represent a significant victory in the ongoing battle against cybercriminal enterprises, but vigilance and proactive security measures remain essential for protecting against evolving threats.
