The spring 2025 UK retail attacks became the largest cyber event to hit British businesses in years — not because of novel malware or a sophisticated zero-day, but because a group of English-speaking attackers made phone calls and asked politely for password resets. The combination of social engineering precision, months of patient dwell time, and a RaaS platform purpose-built for destructive impact produced a wave that the UK's National Cyber Security Centre described as a cause for concern across the entire sector.
Understanding what happened requires tracing two overlapping threads: who carried out the attacks (Scattered Spider, operating as DragonForce affiliates), and what tools and infrastructure they brought to bear (DragonForce's RaaS platform, built on leaked LockBit and Conti code). Both threads matter because the UK retail attacks are not a story about one organisation failing — they are a story about a repeatable attack model landing on unprepared targets.
DragonForce: From Hacktivism to Ransomware Cartel
DragonForce began its public life in August 2023 as a pro-Palestine hacktivist group operating out of Malaysia, conducting defacement campaigns and data leaks against targets it framed as ideologically opposed to its cause. Governments in Israel, India, Saudi Arabia, and the UK, as well as commercial businesses linked to specific political causes, were among its early targets.
The shift toward financially motivated ransomware operations came quickly. By late 2023 and into 2024, DragonForce had established a full Ransomware-as-a-Service platform offering affiliates ready-made encryption tooling, negotiation infrastructure, leak-site hosting, and technical support in exchange for a 20 percent cut of ransoms collected. The ransomware itself was built on leaked LockBit 3.0 (Black) source code combined with elements from Conti, producing payloads capable of targeting Windows, Linux, ESXi, and NAS environments. Affiliates could generate builds per platform, customise file extensions, and control encryption behaviour through a dashboard.
In early 2025, DragonForce went further by launching a white-label service — called RansomBay — that allowed affiliates to wrap the ransomware under entirely different branding, making the same tooling appear as independent operations with distinct names and ransom notes. DragonForce positioned itself publicly as a "ransomware cartel," a deliberate framing designed to attract affiliates from disrupted competitors. When RansomHub's infrastructure went dark in late March 2025, DragonForce actively solicited its affiliates on underground forums.
By 2024, DragonForce's affiliates had publicly listed approximately 93 distinct victims across Windows, Linux, ESXi, and NAS environments, including the Ohio Lottery (600+ GB of data), Coca-Cola Singapore, Yakult Australia, and the Government of Palau. The UK retail wave represented a significant escalation in profile and financial impact.
Scattered Spider: The Human Element
Scattered Spider — also tracked as UNC3944 and loosely associated with a broader network known as The Com — is an English-speaking collective of young attackers, some in their teens and early twenties, who specialise in social engineering against large enterprise targets. They do not rely on technical exploits to gain initial access. They make phone calls.
Their established playbook involves calling IT help desks or service desk contractors and impersonating employees, executives, or IT staff. The calls are convincing — native English speakers using correct corporate terminology, sometimes with research on specific employees gathered from LinkedIn and other sources to lend credibility. The goal is to trigger a password reset, a credential handover, or a bypass of multi-factor authentication. Once they have valid credentials, they move quickly: enumerating Active Directory, exfiltrating the NTDS.dit database, cracking password hashes offline, and establishing persistence before deploying a ransomware payload at a moment of their choosing.
Scattered Spider had used this approach against Caesars Entertainment and MGM Resorts in mid-2023 — in the MGM case, a single ten-minute phone call to the IT help desk was reported as the entry point that eventually led to over $100 million in losses and weeks of disruption at casino properties across Las Vegas. The pattern of targeting prominent consumer brands in sector waves — hospitality, then financial services, then food services — was documented by Google's Threat Intelligence Group, which noted the UK retail attacks were consistent with the same wave-targeting methodology.
"These weren't opportunistic attacks, they likely conducted long reconnaissance work beforehand. Once they gained access, they watched and scoured for weeks, maybe months before acting." — Security analyst speaking at Infosecurity Europe 2025
Marks & Spencer: The Attack That Defined the Wave
The M&S breach did not begin at Easter. Evidence reviewed by investigators indicated that attackers had first gained a foothold in M&S's systems as early as February 2025 — roughly two months before ransomware was deployed. During that dwell period, they conducted reconnaissance, escalated privileges, and positioned themselves for maximum impact before pulling the trigger.
The entry point was M&S's IT helpdesk, operated under contract by Tata Consultancy Services (TCS). Attackers, believed to be Scattered Spider members, called the TCS-run support line posing as M&S employees and manipulated helpdesk agents into performing password resets for them. With those credentials in hand, they accessed Active Directory and exfiltrated the NTDS.dit file — the core Active Directory database containing password hashes for every domain user account. Those hashes were cracked offline, yielding clear-text credentials across M&S's domain.
Armed with domain-level access, they moved laterally through the network for weeks. On April 24, 2025 — Good Friday of the Easter bank holiday weekend — they deployed DragonForce's encryptor across M&S's VMware ESXi hosts, encrypting virtual machines at scale. The timing was deliberate: a bank holiday weekend minimises the number of staff monitoring systems and maximises the time attackers have before anyone notices.
By April 22, when M&S issued its first public statement, contactless payments and click-and-collect services had already failed across its 1,400-plus stores. On April 25, M&S suspended all online shopping — approximately £3.8 million in daily revenue. The automated ordering and stock management systems were taken offline to contain the damage, forcing stores to revert to manual paper-based inventory tracking. Food halls ran low on stock. Gift card terminals, returns kiosks, and loyalty services stayed offline.
On April 23, DragonForce sent M&S CEO Stuart Machin a message from a compromised employee email account confirming the attack and demanding payment. M&S chose not to engage directly with the attackers, instead working through professional intermediaries. Online shopping for clothing resumed in limited form on June 10 — 46 days after the initial disruption. Full recovery extended into July.
Financial impact summary for M&S: Deutsche Bank analysts estimated £30 million in immediate profit loss plus approximately £15 million in additional weekly losses during the outage. Total projected impact: approximately £300 million in lost operating profit for 2025/26. At the peak of the disruption, M&S's market capitalisation had fallen by roughly £750 million. The UK Cyber Monitoring Centre (CMC) assessed the combined M&S and Co-op incident as a Category 2 systemic event with total financial impact estimated at £270 million to £440 million across both organisations.
The customer data stolen included names, dates of birth, telephone numbers, home addresses, email addresses, and online order history for an undisclosed number of customers. M&S confirmed that payment card details and account passwords were not among the stolen data.
Co-op and Harrods: The Wave Widens
Within days of the M&S disruption becoming public, Co-op confirmed a cyberattack that had forced it to shut down portions of its IT infrastructure as a precautionary measure. The Co-op runs more than 2,000 supermarkets across the UK and has approximately 6.5 million members — all of whose data was ultimately confirmed as compromised. The hack disrupted back-office and call centre services and led to empty shelves at many stores as supply chain management systems went offline.
Co-op's response was faster than M&S's — shutting systems down before ransomware could be deployed, a decision that limited the severity of the operational disruption. Security experts observed that the incident appeared consistent with an attack that was caught in a relatively early stage, preventing full encryption. Even so, the data breach was significant, and the Co-op assessed revenue losses at approximately £206 million.
DragonForce affiliates contacted the BBC directly during the Co-op incident, sharing a sample of data relating to approximately 10,000 Co-op members and claiming the breach was far larger than the organisation had publicly acknowledged. They also told reporters that other UK retailers were on a target list. This kind of direct media engagement — using stolen data as proof and threat simultaneously — is characteristic of the pressure tactics Scattered Spider has employed in previous campaigns.
Harrods was the third retailer to disclose an attack, confirming on May 1 that it had detected and contained an attempted intrusion. Its security team restricted internet access across all sites, including the flagship Knightsbridge store and H Beauty branches, as a precautionary measure. Operations were not materially disrupted, and Harrods found no evidence of customer data being compromised in that incident. A separate breach via a third-party provider in late September 2025 proved more damaging, exposing approximately 430,000 customer records including names, email addresses, and telephone numbers.
The Attack Chain in Detail
The M&S attack, as reconstructed by investigators including CrowdStrike, Microsoft, and Fenix24, followed a sequence that maps cleanly to Scattered Spider's documented tradecraft and DragonForce's technical capabilities.
Initial access came via social engineering against the outsourced IT helpdesk — phone-based impersonation to obtain credential resets. From there, attackers accessed Active Directory and exfiltrated the NTDS.dit database, enabling offline cracking of domain account password hashes. This is a well-documented technique: the NTDS.dit file is the crown jewel of any Windows domain environment, and its exfiltration typically signals that an attacker intends to operate at domain administrator level.
With domain administrator credentials, they conducted weeks of lateral movement using living-off-the-land (LOTL) techniques — built-in Windows utilities like PowerShell and WMI rather than external tooling that might trigger signatures, alongside network scanning tools like Advanced IP Scanner and PingCastle. Credential dumping tools including Mimikatz harvested additional high-privilege account credentials as they moved through the environment.
Data exfiltration preceded encryption. Attackers used tools including Rclone and legitimate cloud services to transfer data to attacker-controlled infrastructure before deploying the encryptor. This double-extortion approach — steal first, then encrypt — ensures leverage even against organisations with strong backup capability: even if you can restore from backup, the threat of publishing stolen data remains.
On the encryption side, DragonForce's encryptor was deployed specifically against VMware ESXi hosts — the hypervisor layer running M&S's virtual machines. ESXi targeting is a deliberate choice that maximises disruption: encrypting the hypervisor layer takes down every VM running on it simultaneously, collapsing entire segments of infrastructure in one action rather than requiring the attacker to hit individual endpoints.
The M&S attack demonstrated that MFA alone does not protect against social engineering at the service desk. Attackers convinced helpdesk agents to reset credentials — in effect bypassing MFA by having an authorised agent disable it or reset it on the attacker's behalf. The protection gap is not the MFA technology but the process by which it can be administratively overridden without sufficient verification.
The Wider Sector Response
The wave produced an immediate and measurable secondary effect across UK retail. The CISO of Holland & Barrett testified at an FT summit that his company saw phishing campaign volumes rise from 10 to 20 per month to over 300 per month from April 2025 onward. AllSaints' head of information security reported experiencing attempts by attackers to gain store access by impersonating IT staff in the weeks following the M&S disclosure — the same tactic, applied against adjacent targets while the sector was already on alert.
The UK NCSC issued urgent guidance to the retail sector, calling on all organisations to review their cybersecurity posture and confirm they had appropriate protections in place. The Cyber Monitoring Centre classified the M&S and Co-op incidents as a single combined cyber event — a Category 2 systemic event — based on the shared threat actor, similar TTPs, and the close timing. It was the first time that classification had been applied to a UK retail incident.
Law enforcement moved relatively quickly. The NCA announced on May 21 that Scattered Spider was a key focus of the investigation. On July 10, four suspects believed to be involved in the M&S and Co-op attacks were arrested. Google's Threat Intelligence Group observed Scattered Spider actors shifting their targeting to major insurance companies in the United States following the UK retail wave, consistent with the group's documented pattern of working through sectors in sequence.
M&S ended its helpdesk contract with TCS — a contract it had renewed only two years earlier as part of a broader technology modernisation program. Both companies stated publicly that the decision predated the attack and was unrelated to fault allocation. TCS denied that its systems had been compromised, stating that it does not provide cybersecurity services to M&S. The contract termination, whatever its stated reasons, closed a chapter in how M&S structured its IT support chain.
Key Takeaways
- The attack began at the service desk, not the firewall: Social engineering against a third-party IT helpdesk — not a technical exploit — gave attackers their initial foothold. The vulnerability was human and procedural, not technical. Service desk agents must not be able to reset credentials or bypass MFA for high-privilege accounts without a secondary verification workflow that they cannot be socially engineered around.
- Third-party IT outsourcing creates shared risk that is not always shared security: The M&S helpdesk was run by TCS. The credentials were M&S's. The blast radius was M&S's. Outsourcing IT functions does not outsource the risk of those functions being compromised — it creates an additional exposure surface that requires the same security standards as internal operations.
- NTDS.dit exfiltration is the signal that a breach has gone deep: Once attackers have the Active Directory database, they can crack hashes offline at leisure and operate with domain administrator credentials. Any detection of NTDS.dit access or exfiltration should trigger immediate containment — not continued monitoring.
- ESXi targeting collapses entire environments in a single action: Encrypting the hypervisor layer rather than individual endpoints takes down every VM simultaneously. Organisations running large ESXi estates need to treat those hosts as critical infrastructure with commensurate access controls and monitoring.
- Dwell time was the difference between disruption and catastrophe: M&S was breached in February and hit with ransomware in late April — approximately two months of silent access. Extended dwell time allows attackers to fully map the environment, identify high-value data, and choose the moment of maximum operational disruption. Detection during the dwell period is the only point at which the outcome could have been different.
The UK retail attacks of spring 2025 were not the result of exceptional attacker capability. They were the result of systematic exploitation of a gap that many large organisations share: a service desk process that treats credential resets as an operational convenience rather than a security control boundary. The same gap exists at thousands of organisations in every sector. Scattered Spider has demonstrated they know how to find it and use it.