British retailer Marks & Spencer (M&S) continues to reel from a major cyberattack that has disrupted online orders, contactless payments, and left some store shelves empty. Multiple cybersecurity sources have now named the notorious hacking group Scattered Spider as being behind the attack, which has wiped nearly £700 million off the company’s stock market value and caused millions in lost sales.
Who is Scattered Spider?
Scattered Spider, also known as UNC3944, Octo Tempest, or Starfraud, is a loosely organised cybercriminal group made up primarily of young, English-speaking individuals-some as young as 16 – from the UK and US. The group has gained infamy for targeting large companies with sophisticated social engineering and ransomware attacks, including previous high-profile breaches at MGM Resorts and Caesars Entertainment.
Graeme Stewart, head of public sector at security firm Check Point, told Sky News:
“Scattered Spider is one of the most dangerous and active hacking groups we are monitoring. Since they first appeared in 2022, they have been linked to more than 100 targeted attacks across industries such as telecoms, finance, retail and gaming.”
How does Scattered Spider operate?
Scattered Spider specialises in social engineering-tricking employees into giving up sensitive information-along with phishing, SIM swapping, and exploiting multi-factor authentication systems. They often impersonate IT staff or use fake profiles to gain initial access, then move laterally through networks by extracting credentials from files like NTDS.dit, which stores Windows domain passwords.
The group is highly adaptive and decentralised. According to cybersecurity expert Robert McArdle:
“They are a much looser connected network of individuals who assemble together for individual attacks and resemble the structure of hacktivist groups like past activity of Anonymous.”
Reports suggest Scattered Spider first breached M&S systems in February 2025, stealing the NTDS.dit file to obtain password hashes and infiltrate the retailer’s Windows domain. On April 24, they reportedly deployed the DragonForce ransomware, encrypting key servers and crippling operations.
The attack forced M&S to take systems offline, resulting in:
- Suspension of online orders and app transactions
- Disruption of contactless payments and click-and-collect services
- Agency warehouse staff told to stay home
- Empty shelves and “pockets of limited availability” in stores
- Paused deliveries, including some to Ocado and charity food donations
Retail expert Harry Kind told ITV News:
“With web sales accounting for about a third of their business in clothing and home products, an indefinite pause on online orders will be having a massive financial hit in the short term… this will be a real blow to their long term brand too.”
Estimates suggest M&S could be losing as much as £3.5 million per day while online sales remain suspended.
M&S has not officially confirmed the identity of the attackers or whether a ransom has been paid, but the company has brought in cybersecurity firms Microsoft, CrowdStrike, and Fenix24 to assist with the response.
In a statement, M&S said:
“As part of our proactive management of the incident, we took a decision to take some of our systems temporarily offline. As a result, we currently have pockets of limited availability in some stores. We are working hard to get availability back to normal across the estate.”
The retailer has reassured customers that there is currently no need for them to take action regarding their accounts.
