In recent developments, the retail industry has become the latest target for a notorious hacking group known as Scattered Spider. This group, composed mainly of teenage hackers, is infamous for launching coordinated attacks on various sectors. Recently, iconic British retailers such as Marks & Spencer, Co-op, and Harrods have been victimized in incidents bearing the distinct signature of Scattered Spider. These attacks underline a rising trend in cyber threats against retail giants, signaling the retail sector’s vulnerability to such cybercriminal activities.

According to Google Mandiant, retail organizations have increasingly been featured on cybercrime data leak sites. The percentage of retail victims rose to 11% in 2025, a significant increase from previous years. Scattered Spider, emerging from a community of young hackers self-titled “The Community,” has been linked to attacks on at least 130 companies, including well-known entities like MGM Resorts and Clorox. Despite law enforcement efforts in 2024 resulting in several arrests and indictments, the group remains active and poses a significant threat to various industries.

Mandiant’s analysis suggests that retail organizations attract cybercriminals due to their vast repositories of personally identifiable information and financial data. These companies may also be more susceptible to paying ransom demands if their operations are disrupted. The group’s tactics involve deploying ransomware such as the DragonForce strain, which was allegedly used in attacks on Marks & Spencer and Co-op. DragonForce, linked to a ransomware-as-a-service operation RansomHub, has been evolving its strategies, allowing hackers to operate independently but using its infrastructure.

The potential resilience of Scattered Spider, despite law enforcement setbacks, is a cause for concern. Mandiant warns that the group’s strong ties with a wider network of threat actors could facilitate a swift recovery and continuation of their malicious activities. Their methods often include sophisticated social engineering techniques like SIM-swapping and phishing, leading experts to recommend that companies implement more stringent security verification processes for help desk interactions.

To combat these threats, businesses are advised to avoid using publicly available personal data for security verification and to employ internal-only knowledge or real-time presence verification. Mandiant also cautions against reliance on SMS or phone calls for multifactor authentication and suggests decoupling identity stores like Active Directory from critical infrastructure. These measures are crucial for fortifying defenses against the persistent and evolving threat posed by groups like Scattered Spider.