‘Scattered Spider’ Creeps Back: Las Vegas Hackers Suspected in Wave of U.K. Retail Cyberattacks

A hacking collective blamed for paralyzing half the Las Vegas Strip in 2023 appears to have resurfaced—this time targeting some of Britain’s most recognisable retailers. Harrods, Marks & Spencer, and Co-op have each confirmed separate cyber incidents over the past fortnight, and investigators say the hallmarks point to the group known as Scattered Spider, also called Star Fraud.

Retail disruption, data theft

While all three chains have kept their brick-and-mortar stores open, online sales, payment systems and customer-service portals have suffered intermittent outages. Co-op disclosed that attackers stole “a significant amount” of customer information, including names and contact details. Marks & Spencer has suspended online order processing for up to ten days as it works to contain the breach.

A shape-shifting playbook

Scattered Spider is notorious for its blend of social-engineering scams and nimble, multi-stage intrusions. Posing as legitimate users locked out of corporate accounts, the largely English-speaking hackers charm help-desk staff into resetting passwords or granting remote access. Once inside, they pivot laterally across networks, exfiltrating data or deploying ransomware that can freeze thousands of workstations at once.

During past break-ins, the group has posted crude messages in internal Slack channels, joined live incident-response calls, and even phoned family members of executives to taunt them—tactics designed to sow chaos and pressure victims into multimillion-dollar extortion payments.

A brief lull after arrests

Five alleged members linked to Scattered Spider were arrested in November, and security analysts noted a sudden quiet. That silence now looks temporary. Google’s Mandiant threat-intelligence unit warned clients last week that the collective—or a splinter cell—had resumed operations, advising companies to reinforce identity checks and tighten password-reset procedures.

National response

The U.K.’s National Cyber Security Centre (NCSC) has begun coordinating with affected retailers and issued fresh guidance on preventing account takeovers. The agency is still analysing forensic evidence to confirm whether the incidents form part of a single campaign.

John Hultquist, chief analyst at Mandiant, urged other retailers to treat the latest breaches as a flashing red light. “These hackers typically work their way through a sector,” he said. “The window to shore up defences is closing fast.”

Economic stakes

Scattered Spider’s previous headline attack, the 2023 breach of MGM Resorts in Las Vegas, tore through hotel reservation systems, slot machines and digital room keys, ultimately costing the company an estimated US $110 million—an amount covered only because of cyber-insurance. U.K. analysts fear a similar hit to major retailers could ripple through supply chains at the height of spring shopping season.

What companies can do now

• Lock down the help desk. Enforce strict identity verification before resetting credentials or granting remote access.

• Multi-factor everywhere. Require hardware- or app-based authentication for all privileged accounts.

• Monitor for odd behaviour. Sudden spikes in password resets, failed logins or new MFA enrolments can signal social-engineering attempts.

• Segment and back up. Isolate critical payment and fulfilment systems, and keep offline backups to speed recovery if ransomware is deployed.

Looking ahead

Whether the current flare-up is the handiwork of core Scattered Spider members or a copycat crew, the message is clear: youthful, English-speaking hackers armed with social savvy and technical skill remain one of the fastest-moving threats in cyberspace. For businesses lulled into complacency by a few quiet months, the retail hacks are a stark reminder that in cybersecurity, absence of noise rarely means absence of danger.

Photo Credit: DepositPhotos.com