Who is the gang behind Marks & Spencer and Harrods hacks?

Scattered Spider, the cybercrime gang behind the recent Marks & Spencer hack, has been sharpening its phishing campaigns to attack big businesses.

In May 2025, some of the UK’s biggest retailers, Marks & Spencer, Co-op, and Harrods, among them, were struck by coordinated cyberattacks. Scattered Spider, the infamous ransomware group, was quickly linked to the chaos.

Mark & Spencer has since been forced to shut down its payment systems at over 1,000 stores across the UK, cancelling thousands of online clothing and home goods orders.

Now, law enforcement appears to be closing in. Last week, Tyler Buchanan, 23, a UK national, was extradited from Spain to face charges in California for conspiracy to commit computer intrusion, wire fraud, and aggravated identity theft.

Prosecutors believe Buchanan is a member of the gang, accusing him of helping breach dozens of companies and personally controlling over $26 million stolen from victims. In late 2004, the US Department of Justice indicted five suspected members of Scattered Spider in connection with the MGM cyberattacks, including four Americans and a UK citizen, all men between the ages of 20 and 25 years.

As the legal case unfolds, cybersecurity researchers are digging deeper into how the group operates. New research from threat intelligence firm ReliaQuest reveals that one of Scattered Spider’s most effective tactics involves impersonating major technology vendors to phish high-value credentials.

A social engineering powerhouse

Scattered Spider may have started as a SIM-swapping gang tied to the underground hacking forum “The Community,” but today they’re operating on a different level.

The gang is a case study in modern, human-centric hacking. Fluent in English and experienced in navigating corporate IT systems, they often impersonate real employees, and their phishing operations use fake login portals to lure targets into handing over credentials. In many cases, those targets are system administrators or executives.

According to ReliaQuest, 81% of the domains linked to Scattered Spider mimic technology vendors, often using typosquatting tactics. Such tactics involve subtle domain misspellings or tweaks that trick users into thinking they’re logging into a legitimate service.

Keywords like “okta,” “vpn,” “helpdesk,” and “sso” frequently appear in the URLs. These decoys are often deployed using phishing frameworks like Evilginx, which are capable of stealing not just usernames and passwords but also session cookies. This allows attackers to bypass multi-factor authentication (MFA).

Instead of obvious giveaways like hyphenated domain names, the gang uses more subtle subdomain-based impersonation, for example, using vpn-login.company-support.com instead of a lookalike domain.

These changes make phishing links harder to detect and block, especially when coupled with reliable hosting services and registrars not typically flagged for abuse.

Targeting the tech behind the tech

One of the more alarming trends uncovered by ReliaQuest is Scattered Spider’s pivot toward managed service providers (MSPs) and IT contractors.

These companies serve dozens, sometimes hundreds of client networks, making them an attractive one-to-many target. A single successful breach can cascade across multiple organizations.

By compromising a trusted vendor, Scattered Spider can potentially move laterally across connected organizations without tripping alarms.

This strategy was on display in the UK retail breaches. While Marks & Spencer and Co-op were the visible victims, investigators believe the real entry point may have been Tata Consultancy Services (TCS), a global IT contractor with longstanding relationships in the sector.

Don’t miss our latest stories on Google News.

Follow us

Industries on the front line

While retail was the focus in May’s high-profile attacks, Scattered Spider’s reach is much broader.

70% of the group’s known targets are concentrated in just three sectors: technology, finance, and retail trade. These industries are rich in data and often reliant on complex IT infrastructures.

ReliaQuest’s analysis of internal alerts from its GreyMatter Digital Risk Protection (DRP) platform revealed that 35% of impersonation domains targeted the tech sector, with 20% aimed at financial firms, and 15% at retailers.

This reflects a strategy that blends profit motive with calculated technical precision: gain access where defenses are weakest, and the potential payoff is highest.

A coordinated global threat

ScatteredSpider, infamous for its cybercriminal partnership with the now-defunct ALPHV/BlackCat gang and their hack of Las Vegas’ MGM Resorts International and Caesars Entertainment in fall 2023, is known for using highly effective phishing techniques to target its victims.

Labeled by Google's Mandiant as one of the most disruptive hacking outfits in the United States at the time, Caesars was reported to have paid Scattered Spider a $15 million ransom demand to keep its operation going in the wake of the attack, as opposed to MGM which refused to pay, and was subsequently paralyzed for weeks.

The Scattered Spider hacker gang – also known in the industry as Roasted 0ktapus, UNC3944, or Storm-0875 – is believed to be made up of individuals based in both the US and the UK and is known for SMS phishing, SIM swapping, and MFA fatigue attacks.

The group, around since 2022, is known for its high-profile campaigns targeting hundreds of companies over the years, primarily in the financial services sector, including notable names such as Snowflake, Visa, DoorDash, Riot Games, LastPass, Twilio, and others.