Police investigation into UK retail hacks focuses on English-speaking youths
Detectives investigating cyber attacks on UK retailers are focussing on a notorious cluster of cyber criminals known to be young English-speakers, some of them teenagers, police have revealed.
For weeks speculation has mounted that disruptive attacks on M&S, Co-op, Harrods and some US retailers could be the work of a hacking community called Scattered Spider.
Speaking about the hacks for the first time, the National Crime Agency (NCA) has told BBC News the group is a key part of its ongoing investigation to find the culprits.
"We are looking at the group that is publicly known as Scattered Spider, but we've got a range of different hypotheses and we'll follow the evidence to get to the offenders," Paul Foster, head of the NCA's national cyber crime unit, said in a new BBC documentary.
"In light of all the damage that we're seeing, catching whoever is behind these attacks is our top priority," he added.
The wave of attacks, which began at Easter, have resulted in empty shelves in stores, the suspension of online ordering, and millions of people's private data being stolen.
The hacks have been carried out using DragonForce, a platform that gives criminals the tools to carry out ransomware attacks. However, the hackers pulling the strings have still not been identified and no arrests have been made.
Some cyber experts say the hackers display the traits of Scattered Spider, a loose community of often young individuals who organise across sites like Discord, Telegram and in forums, most likely located in the UK and US.
Although the NCA says it is exploring all parts of the cyber crime ecosystem, it too is looking in the same direction.
"We know that Scattered Spider are largely English-speaking but that doesn't necessarily mean that they're in the UK - we know that they communicate online amongst themselves in a range of different platforms and channels, which is, I guess, key to their ability to then be able to operate as a collective," Mr Foster said.
M&S has been hit with ransomware, which has scrambled the company's servers rendering computer systems useless. The high street giant is still struggling to keep shelves stocked and has halted online shopping for weeks. Hackers have also stolen customer and employee data from the company.
At Co-op, staff took systems offline to prevent a ransomware infection but a huge amount of customer and staff data was stolen and is being held to ransom. Operations at the firm's supermarkets, insurance offices and funeral services have been badly affected.
It is not known what is happening at Harrods but the company admitted it had to pull computer systems offline because of an attempted cyber attack.
When the hackers behind the M&S and Co-op attacks anonymously contacted the BBC last week, they declined to say whether or not they were Scattered Spider.
Cyber security researchers at CrowdStrike formed the name "Scattered Spider" because of the group's sporadic nature, but other cyber companies have given the cluster nicknames including Octo Tempest and Muddled Libra.
The group was also linked to high-profile attacks including on two US casinos in 2023 and Transport for London last year.
And in November, the US charged five British and American men and boys in their twenties and teens for alleged Scattered Spider activity. One is 23-year-old Scottish man Tyler Buchanan, who has not made a plea, and the rest are US based.
NCA investigators will not say how the retail hackers have managed to breach victim organisations but earlier this month, the National Cyber Security Centre issued guidance to organisations urging them to review their IT help desk password reset processes.
"Calling up IT help desks is a tactic that Scattered Spider seems to favour and they use social engineering techniques to manipulate someone into doing something like clicking on a link or resetting someone's account to a password they can use," Lisa Forte, from cyber security firm Red Goat, explained.
In the BBC documentary, a former teen hacker who was arrested nine years ago and now works in cyber security, said he was not surprised that teenagers could be behind the hacks.
"It wouldn't surprise me - quite [the] opposite. The tools are readily available and it's very easy to jump online and search straight away. You can feel a bit untouchable but for what end? You're gonna be arrested 99% of the time," he said.
A letter from the M&S hackers landed in my inbox - this is what happened next
Cyber attack threat keeps me awake at night, bank boss says
'They yanked their own plug': How Co-op averted an even worse cyber attack
Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
14 minutes ago
- Yahoo
Texas on the verge of putting warning labels on junk food
(NewsNation) — In Texas, a bill has reached Gov. Greg Abbott's desk requiring warning labels on packaged foods like Doritos, Mountain Dew and M&M's that contain certain additives. The bill, passed unanimously by the Texas state Senate, would mandate labels on products that include synthetic dyes, titanium dioxide, bleached flour, partially hydrogenated oils, melatonin and various food colorings. In April, the U.S. Food and Drug Administration and Health Secretary Robert F. Kennedy Jr. announced plans to phase out petroleum-based synthetic dyes by the end of 2026. Texas investigating cereal giant Kellogg over food dye use Kennedy has advocated for the Texas legislation. 'Secretary Kennedy encourages states to promote healthy practices and enhance consumer transparency in food labeling,' an HHS official told NewsNation. 'Americans deserve to know what's in their food, so they can make informed choices for themselves and their families.' However, several companies and organizations, including the Texas Retailers Association, have criticized portions of the bill. Texas considers banning products infused with THC derived from hemp, and retailers are worried 'The food labeling provision in this bill casts an incredibly wide net, triggering warning labels on everyday grocery items based on assertions that foreign governments have banned such items, rather than on standards established by Texas regulators or the USDA,' the organization said in a statement. If the bill is approved, Texas would become one of the first states to require such disclosures, potentially reshaping national food industry standards. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
The Hill
14 minutes ago
- The Hill
Migrant DHS accused of threatening Trump was framed: Prosecutors
A Wisconsin inmate is facing charges over allegations he forged threatening letters against President Trump in an effort to frame a potential witness in an upcoming criminal trial and get him deported before he could testify. Demetric Deshawn Scott was charged on Monday with identity theft, bail jumping and felony intimidation of a witness, according to a court filing. Prosecutors say Scott is responsible for several letters sent to U.S. officials that included threats to kill the president and ICE agents. The letters purported to be from Ramón Morales Reyes, whose name and return address were written in blue ink on each letter. 'The letters were all handwritten and, although not exactly the same, all wrote about immigration policy and threatening to kill ICE agents or President Donald Trump. Those letters also appeared to be written by the same person,' prosecutors said in the filing. Morales Reyes was arrested by ICE agents, and his arrest was publicized online by the Department of Homeland Security (DHS), which posted his image as well as one of the letters. DHS Secretary Kristi Noem also issued a statement describing him as an 'illegal alien' and said he would remain in custody 'pending his removal proceedings.' 'We are tired of this president messing with us Mexicans — we have done more for this count[r]y than you white people — you have been deporting my family and I think it is time Donald Trump get what he has coming to him,' one of the letters read, according to prosecutors. 'I will self deport myself back to Mexico but not before I use my 30 yard 6 to shoot your precious president in his head – I will see him at one of his big rall[ie]s' But, prosecutors say, after Morales Reyes was taken into custody, it soon became clear he could not have written the letters. Morales Reyes required translation assistance during the interview because he 'does not read, write, or fluently speak English.' Officials also compared a handwriting sample from Morales Reyes to the letter and there was no match. According to the court filing, investigators asked Morales Reyes, through a translator, who would want to get him 'in trouble.' Morales Reyes said the only person would be Scott, who was facing charges for robbing Morales Reyes. Investigators later listened to several calls from jail where Scott allegedly described plans to frame Morales Reyes.
Yahoo
23 minutes ago
- Yahoo
Why CoreWeave Rocketed 170% in May
CoreWeave rallied in May off of the April "liberation day" bottom. The company held its first earnings release, beating expectations and raising guidance. Nvidia disclosed that it raised its investment in the company. 10 stocks we like better than CoreWeave › Shares of CoreWeave (NASDAQ: CRWV) rocketed 169.5% in May, according to data from S&P Global Market Intelligence. CoreWeave had a busy month, not only recovering from April's "Liberation Day" along with the rest of the sector, but also holding its first earnings report since its March 28 initial public offering (IPO). Additionally, key customer and supplier Nvidia (NASDAQ: NVDA) disclosed that it had increased its investment in the company. Virtually all technology stocks and artificial intelligence (AI) stocks recovered in a big way after May 12, when the U.S. and China ratcheted down their mutual tariffs for 90 days in order to let trade talks proceed. The sky-high China tariffs had been at the heart of the worries over President Trump's tariff war, which had especially weighed on the semiconductor and AI sectors. Shortly after the rollback of China tariffs, CoreWeave also held its first-ever earnings release. In that release, CoreWeave beat revenue expectations handily. And while earnings per share missed by a lot, that was caused by one-time stock compensation costs associated with the IPO. Moreover, CoreWeave raised its revenue guidance for the year well above analyst estimates, although it also increased its outlook for capital expenditures. While investors had something of a mixed reaction to earnings, most Wall Street analysts raised their price targets afterward. But just days later, CoreWeave saw a massive spike in its stock after it was revealed that AI chip darling Nvidia had increased its investment in the company. That was followed by even larger analyst price target increases the following week. Not only did CoreWeave have a monster month of May, but the stock has also surged to begin June, following news of a 15-year, $7 billion data center expansion agreement with data center operator Applied Digital (NASDAQ: APLD). Given the massive spike in the stock price, there's a degree of meme stock momentum right now in CoreWeave. So investors should be careful with the stock at this valuation, which currently sits at about 15 times this year's revenue outlook. That's a high price for a stock with high investment needs and some substantial risks. One concern is that CoreWeave has to invest substantial amounts in fixed assets ahead of receiving revenues from its contracts. However, it appears investors are encouraged by the more aggressive growth outlook and willing to look past upfront investment needs in fixed costs that will probably require CoreWeave to raise more capital. Another risk that concerns me is the company's circular relationship with Nvidia, which is both a customer and, obviously, a key supplier. While AI demand and demand for Nvidia chips appears quite strong for now, should either demand ever slow down, CoreWeave could run into problems. Before you buy stock in CoreWeave, consider this: The Motley Fool Stock Advisor analyst team just identified what they believe are the for investors to buy now… and CoreWeave wasn't one of them. The 10 stocks that made the cut could produce monster returns in the coming years. Consider when Netflix made this list on December 17, 2004... if you invested $1,000 at the time of our recommendation, you'd have $656,825!* Or when Nvidia made this list on April 15, 2005... if you invested $1,000 at the time of our recommendation, you'd have $865,550!* Now, it's worth noting Stock Advisor's total average return is 994% — a market-crushing outperformance compared to 172% for the S&P 500. Don't miss out on the latest top 10 list, available when you join . See the 10 stocks » *Stock Advisor returns as of June 2, 2025 Billy Duberstein and/or his clients have no position in any of the stocks mentioned. The Motley Fool has positions in and recommends Nvidia. The Motley Fool has a disclosure policy. Why CoreWeave Rocketed 170% in May was originally published by The Motley Fool
