The UK’s National Crime Agency (NCA) recently arrested four suspects involved in a major cyberattack on top UK retailers.The operation highlights law enforcement’s ability to tackle cybercrime and exposes the scale of today’s digital threats.
Behind the Arrests: Who Are the Suspects?
The arrested individuals include two 19-year-old men, a 17-year-old, and a 20-year-old woman. Police arrested them in the West Midlands and London. Charges include hacking, blackmail, and organized cybercrime.
Cybersecurity journalist Brian Krebs identified two 19-year-old suspects. They are Owen David Flowers (aka bo764, Holy, Nazi) and Thalha Jubair (aka Earth2Star, Operator). Reports suggest Jubair played a key role in the LAPSUS$ cybercrime group and once ran the Doxbin website.
Investigators seized the suspects' devices for forensic analysis to collect evidence and map the crime network.
National Damage and the Names Behind It
The cyberattacks that occurred in April 2025 against Marks & Spencer and Co-op were classified as a "single combined cyber event" by the Cyber Monitoring Centre (CMC). The estimated financial impact ranged from £270 million to £440 million (approximately $363-592 million USD), a figure that highlights the severe consequences for the business sector and the UK economy.
Although the NCA did not directly name the criminal group, it is widely believed that these attacks were carried out by the well-known cybercriminal group Scattered Spider, notorious for its sophisticated social engineering tactics used to breach organizations and deploy ransomware. Marks & Spencer confirmed that the attack on its systems was ransomware-related and executed by the DragonForce ransomware group, collaborating with other "loosely aligned" actors.
Scattered Spider: When Young Hackers Play for Real
A key characteristic of Scattered Spider is their use of young individuals who speak native English. They impersonate employees and call into the IT Support departments of target companies, using psychological manipulation to trick staff into revealing critical information (such as usernames and passwords).
This group is part of the “The Com” network, which plays a role in various forms of cybercrime, including phishing, SIM swapping, sextortion, extortion, and even more violent crimes.
Halcyon and Mandiant, a Google-owned company, also indicate that they employ a strategy of rotating targets based on opportunity and financial gain, using phishing domains that closely mimic legitimate corporate login pages.
A Crucial Lesson: Protection Starts with "People"
Charles Carmakal, CTO from Mandiant Consulting, described these arrests as a "significant win" that demonstrates international cooperation and marks a crucial period for organizations to seriously strengthen their defenses.
He recommends immediate preventative measures organizations should start implementing, such as:
- Training IT teams and employees to detect phishing attempts.
- Implementing Multi-Factor Authentication (MFA) that is resistant to phishing.
- Enforcing robust identity verification for employee support calls.
Zach Edwards, a threat researcher, also warns that these young hackers often believe they are playing a fun, get-rich-quick game, but in reality, it's a game that leads to “jail,” not “riches.”
Conclusion: The Cyber World Is No Longer Distant
The arrest of Scattered Spider members is just the beginning in the ongoing fight against complex and evolving cyber threats. Organizations and users alike need to be aware and invest seriously in prevention, because the “damage” incurred isn't just financial; it extends to reputation, trust, and the long-term future of businesses.
Source: The Hacker News: Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods