Scattered Spider – the teenage hacking collective that breached multiple organisations in 2023 in a series of social engineering attacks – has been linked to the ongoing cyber incident unfolding at Marks and Spencer (M&S) according to reports.
According to Bleeping Computer, which was first to report the new development citing unnamed sources close to the investigation, Scattered Spider is understood to have breached the retailer back in February 2025.
Supposedly, the Scattered Spider hackers were able to get their hands on an NTDS.dit file – an Active Directory Services database file containing password hashes for M&S Windows accounts. The gang was then able these passwords and use them to infiltrate M&S’ Windows domain.
The attackers then allegedly deployed a white-label ransomware called DragonForce on VMware ESXi hosts belonging to M&S on Thursday 24 April, three days after M&S first disclosed an incident.
M&S has declined to comment on the accuracy of these reports, so their veracity cannot be confirmed at this stage.
The incident first came to light after M&S experienced disruption to its contactless payment and click-and-collect service. It was later forced to suspend online shopping entirely and over a week later, its core e-commerce infrastructure remains offline, although its website is still accessible and can be browsed as normal. Its bricks-and-mortar stores are also open. It has also told agency warehouse staff to stay home rather than travel to its clothing and homeware depot.
M&S, which was founded in Leeds as a market stall 141 years ago by a Polish immigrant, the eponymous Michael Marks, has lost hundreds of millions of pounds of value as a result of the cyber attack, with lost sales mounting up across the country.
At the time of writing, M&S maintained that there was no need for its customers to take any action – for how much longer this will be the case remains to be seen.
Not your average gang
A stand-out among threat actors, Scattered Spider is unusual in that largely comprises English-speakers – although it has worked with Russian ransomware gangs before – and functions more as a loosely connected network, rather than an organised crew.
This means that despite some of its members being arrested and charged, including a British national named as Tyler Buchanan, who was indicted by the US Department of Justice (DoJ in November 2024, Scattered Spider has been able to keep operating.
Robert McArdle, director of forward threat research at Trend Micro, said: “[They] assemble together for individual attacks and resemble the structure of Hacktivist groups like past activity of Anonymous. Scattered Spider has routinely targeted retail providers … so targeting M&S would be ‘on-brand’.
“Scattered Spider has been active in various incarnations since 2022 until today but is very hard to categorise as their organisation is so loose. Many attacks coming from English-speaking actors can be tied back to the wider community of which Scattered Spider is just a small, ill-defined subset.”
A larger issue, said McArdle, is the growing threat emanating from Anglophone cyber criminals who, although they lack the businesslike organised crime structures favoured by old school Russian ransomware gangs, they make up for in aggression and brazenness.
In one attack documented by Microsoft, a Scattered Spider hacker threatened one victim’s family. ““If we don’t get your [redacted] login in the next 20 minutes were [sic] sending a shooter to your house,” they said. “Ur wife is gonna get shot if u don’t [sic] fold it [redacted].”
