CAMBRIDGE, UNITED KINGDOM - People walk past a Marks & Spencer store in February 2025. According to the market research company NielsenIQ (NIQ), grocery sales for the British retailer Marks & Spencer had grown to 9.7 percent, but a major cyberattack starting in April disrupted operations. (Photo by David Tramontan, SOPA, LightRocket, Getty)

UK Authorities Arrest Four in Connection to Retailer Cyberattacks

By Claire Meyer

10 July 2025

UK police arrested four people in connection to the cyberattacks on British retailers Marks & Spencer (M&S), Co-op, and Harrods.

The four individuals—three UK citizens and one Latvian, all between the ages of 17 and 20—were arrested early in the morning of 10 July at their homes. They are being held on suspicion of blackmail, money laundering, violating the Computer Misuse Act, and participating in an organized criminal group. The authorities seized their electronic devices for digital forensic analysis, according to the UK National Crime Agency (NCA).

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency’s highest priorities,” said NCS National Cyber Crime Unit Deputy Director Paul Foster in a statement. “Today’s arrests are a significant step in that investigation, but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”

The cybercrime campaign against the British stores began months ago. The attacks left some shelves bare and retailers unable to fulfill online orders. Customer data was also stolen.

The attackers sent a ransom demand laden with abuse to M&S CEO Stuart Machin in April using a breached employee email account. M&S estimated that the attack cost it around 300 million pounds ($407 million), the Associated Press reported in May. The attack also reduced the availability of some food products and heightened logistics costs and waste because shops had to resort to some manual processes. M&S expects operations to be affected until late July, with some IT systems not fully operational until at least October, according to the BBC.

In an annual figures report, M&S revealed that the attackers gained access to the company’s IT systems through a third party.

“We didn’t leave the door open, this wasn’t anything to do with under-investment,” said M&S CEO Stuart Manchin in May. “Everyone is vulnerable. For us, we were unlucky on this particular day through some human error.”

Supermarket chain Co-op said attackers also stole customers’ personal data and disrupted payments. Harrods restricted online access in May as a result of the attacks. Both companies were forced to disconnect IT systems from the Internet to try and keep the criminals out of key networks.

The attackers claimed to be part of DragonForce, a hacker organization that offers ransomware as a service to cybercrime affiliates for a 20 percent cut of any ransoms collected. The organization was first detected in 2023, although it has more aggressively marketed its wares in the past few months, according to an explainer from The Independent. Researchers debate where the group is based, either in Malaysia or Russia.

The Scattered Spider network of cyber criminals has also been suspected of involvement in the retailer attacks, potentially collaborating with DragonForce actors. Hackers affiliated with Scattered Spider are often young adults in the United States or UK. Most recently, these actors have been targeting the insurance industry.