Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
The Scattered Spider group has been highly active in recent years


Scattered Spider appears to be the name on every security practitioner’s mind right now after reports linked the cyber criminal group to the M&S cyber attack.
The high street retailer has been battling a ‘cyber incident’ for well over a week, with an attack severely disrupting systems and forcing it to suspend online sales. Exact details on the attack remain scarce, but reports from BleepingComputer suggest Scattered Spider is enemy number one.
Adding more fuel to the fire, we now have similar incidents - albeit on what appear to be a less extreme scale - at two more high street retailers, the Cooperative Group and luxury department store Harrods.
There’s currently no evidence linking the group to these particular attacks, but speculation is still rife online regardless.
But what makes Scattered Spider such a formidable adversary for security teams?
Scattered Spider on the rise
Scattered Spider has rapidly emerged as a highly aggressive cyber criminal group, and has claimed responsibility for attacks on a flurry of organizations globally.
In late 2023, the group brought MGM Resorts to its knees in a ransomware attack, stealing customer’s personal information and costing the hotel and casino group an estimated $100 million in damages.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Naturally, this incident prompted a global manhunt for those involved in the group, which appeared to culminate in November 2024 when US prosecutors charged five people accused of involvement in its activities.
This included five Americans and one Scot, which didn’t exactly paint a familiar picture considering headline-grabbing arrests in recent years have frequently involved Russian nationals, for example.
But it’s this that makes the group somewhat tricky to pin down, according to Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf.
Hostetler described Scattered Spider as a ‘geographically diverse and loosely knit group of threat actors” involved in ransomware and other financially-motivated cyber crime activities.
“Some people affiliated with the group refer to themselves as ‘the Comm’, and researchers have labeled them with names such as UNC3944, Scatter Swine, and Muddled Libra,” he said.
“They are known to participate in ransomware attacks using a handful of well-documented tactics and have demonstrated proficiency with cloud-hosted infrastructure.”
Adding to the potency of the group is the fact that ‘the Comm’ is believed to include affiliates of other ransomware gangs, according to Hostetler, such as BlackCat/ALPHV and the LAPSUS$ group.
How Scattered Spider operates
The group is known to primarily target organizations with social engineering techniques, according to Jake Moore, Global Cybersecurity Advisor at ESET.
“Scattered Spider has been linked to dozens of attacks over the last few years targeting all sectors,” he explained. “Their tactics often target the human element of an attack including social engineering and SIM swapping attacks before deploying ransomware on a target device.”
Hostetler noted their “favored technique” is phishing. This often involves creating bogus login pages that closely mimic corporate sign-in portals, for example.
Additionally, the group has been known to create fake domains on targeted brands - again this is used as a means to dupe unsuspecting users and give them an opportunity to break through an organization’s defenses.
“They’ve also been known to steal credentials via SMS phishing operations and pose as fake IT staff, in a bid to gain access to – and wreak havoc in – victim organizations,” Hostetler added.
MORE FROM ITPRO
- The new ransomware groups worrying security pros in 2025
- Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
- Building ransomware resilience to avoid paying out

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Transformar las licencias de VMware a modelos basados en suscripción
Con un canal comprometido, Broadcom hace que el viaje hacia las licencias de VMware basadas en suscripción sea lo más fluido posible
-
Un cambio enfocado hacia los servicios entregados por partners genera nuevas oportunidades con Broadcom
Broadcom está invirtiendo en servicios profesionales —entregados a través de partners— para el éxito a largo plazo de los clientes
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the US
News A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
News The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware group
News The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances