Scattered Spider, a teenage hacking group, pulled off several high-profile breaches in 2023, and now it’s linked to the ongoing cyber incident at Marks and Spencer (M&S). Reports, including one from Bleeping Computer, suggest that Scattered Spider compromised M&S back in February 2025.
They reportedly accessed an NTDS.dit file, a critical Active Directory Services database containing password hashes for M&S accounts. Using these hashes, they infiltrated M&S’s Windows domain. Just days later, on April 24, they allegedly deployed a white-label ransomware known as DragonForce on M&S’s VMware ESXi hosts.
M&S has opted not to confirm any of these claims. The incident first surfaced when M&S faced disruptions in its contactless payment system and click-and-collect service. Eventually, they halted online shopping altogether. As the week progressed, M&S’s core e-commerce infrastructure remained offline, although the website still functioned for browsing. Brick-and-mortar stores stayed open, but warehouse staff were advised to stay home to avoid commuting.
Founded in Leeds 141 years ago by Michael Marks, a Polish immigrant, M&S has seen its value drop by hundreds of millions due to this cyberattack, with sales losses affecting stores nationwide. Despite the chaos, M&S has maintained that customers need not take any action—though how long that will hold is uncertain.
What sets Scattered Spider apart is its loosely connected structure, primarily made up of English speakers, despite past collaborations with Russian gangs. Even with some members arrested, like Tyler Buchanan, a British national indicted by the U.S. Department of Justice in November 2024, the collective continues to operate.
Robert McArdle from Trend Micro notes that Scattered Spider resembles hacktivist groups like Anonymous, forming for specific attacks. Since 2022, they’ve targeted retail providers consistently, making the M&S breach fit their profile.
McArdle warns about the increasing threat from Anglophone cybercriminals. While they lack the structure of traditional Russian gangs, they compensate with boldness. In one chilling incident documented by Microsoft, a Scattered Spider hacker threatened a victim’s family, saying they would send a shooter if the victim didn’t comply within 20 minutes.
