How Marks & Spencer Got Hacked—and Why Shelves Went Empty
Picture waking up to do your grocery shop online at Marks & Spencer, only to find the website down, payment terminals dead, and your favorite snacks missing from the shelves. This isn’t some IT glitch—this was a full-blown cyber attack by a group of hackers most people would picture taking high school exams, not vaulting the digital security of a national retailer.
The gang in question? Scattered Spider—also operating under names like UNC3944 and Muddled Libra. These aren’t your usual seasoned criminals. Investigators say some are as young as 16, connecting through Telegram, Discord, and dark web forums rather than smoky back rooms. Their members stretch from the UK to the US, and they’ve been on the radar since 2022 for hitting high-profile companies hard. This time, their target was right in the heart of British retail.
Scattered Spider’s attack on M&S started quietly, with hackers slipping through digital cracks as early as February 2025. Their method: advanced social engineering, phishing for login details, and bombarding accounts with fake security alerts to wear down overworked staff until somebody let them in by mistake. Once inside, they nabbed critical data—the NTDS.dit file, which gives access to the deep insides of M&S’s computer network, like a backstage pass for hackers.
Then came the ransomware. The group unleashed a strain called DragonForce, encrypting the VMware ESXi servers that M&S and many other big companies rely on to run their day-to-day operations. This wasn’t just locking up a few emails: M&S’s website, online payments, contactless in-store sales, and especially their main distribution center all ground to a standstill. With the digital pipelines blocked, store shelves began to empty out fast.
For five days, M&S—famous for those luxurious ready meals—had to freeze all online orders. Customers arrived to find bread, milk, and even basic snacks missing. Staff could hardly keep up with frustrated shoppers. The company’s core distribution center had to close temporarily, while the cost of lost sales and emergency solutions started adding up fast. Management scrambled, even putting a freeze on new hires as it shifted to damage control.
Who Are Scattered Spider? Teen Hackers Making Big Trouble
What freaks security experts out the most about Scattered Spider isn’t just their technical skills, but their age and unpredictability. They’re organized but scrappy, hitting targets in finance, telecom, gaming, and retail. Their style is fast and relentless—using phishing, bombarding staff with fake login requests (so-called MFA fatigue), and slipping between employer systems using stolen credentials. They’re not in for a quick buck or ego points; they aim for maximum chaos and maximum payday.
This group has already made news around the world for attacks on big names. In 2023, they targeted Las Vegas casino giants like Caesars Entertainment and MGM Resorts, leading to both mayhem in the casinos and a $15 million ransom payout. The drip-feed of arrests barely seems to slow them. A Scottish hacker, Tyler Robert Buchanan, age 23, was nabbed in Spain and charged in the US along with four under-25 Americans. Another suspect, just 18, was arrested in the UK after the Vegas chaos. Yet, the group keeps recruiting and plotting through online communities like ‘Com,’ which is notorious for mixing digital crime with real-world action.
For M&S, the fallout is going to stick around. Lost sales, frustrated customers, and supply headaches are just the surface. Digital crooks are watching how retailers respond, pushing everyone in the industry to rethink their security. Meanwhile, Scattered Spider isn’t going anywhere. They’re evolving, learning from every attack, and proving that highly connected, youthful hackers can shake even the biggest brands—and your weekly shop—without warning.
