M&S and Co-op cyber attack: Was a Walsall teenager involved in the retail hack amid Scattered Spider link?

The cyber attacks on M&S and the Co-op has resulted in empty shelves, cancelled online orders and customer data being stolen. 

The question is - who is responsible?

One notorious cyber-criminal group has been highlighted as a focus of the National Crime Agency's (NCA) investigation - it is named as a collective known as 'Scattered Spider'. 

Believed to be made up of young, 'native-English' individuals based in the UK and US - many said to be as young as 16 - Scattered Spider is known for its 'sophisticated social engineering tactics', including phishing, SIM swapping, and multi-factor authentication bombing, to gain access to corporate networks, according to the CISA - America's Cyber Defense Agency. 

The group has also been linked to the Co-op and Harrods hackings at the end of April, as well as Vegas-based Caesars Entertainment and MGM Casinos in 2023 - the latter losing around $100million as a result, CNN reported. 

The NCA has told the Express & Star that a teenager from Walsall was arrested in July last year as part of a joint West Midlands Police and FBI investigation into the targeting of the Vegas casinos. 

Later that year, in September, the NCA said a 17-year-old - also from Walsall - was arrested in relation to the TfL incident

The NCA spokesperson added: "He is yet to be charged so we have no further update on this case at the moment."

Tech news site BleepingComputer is among those reporting that the M&S attack is alleged to have been conducted by Scattered Spider - and that the attackers deployed a piece of malicious software-for-hire known as DragonForce to disable parts of the retailer’s IT network.

The head of the NCA's national cyber-crime unit, Paul Foster, has told a new BBC documentary: "We are looking at the group that is publicly known as Scattered Spider, but we've got a range of different hypothesis and we'll follow the evidence to get to the offenders.

"In light of all the damage that we're seeing, catching whoever is behind these attacks is our top priority."

The M&S breach, which began over the Easter weekend, has had huge repercussions for the retailer. It disrupted online operations, particularly in the fashion, home, and beauty departments, leading to website shutdowns and stock shortages in stores. Customer data was also compromised during the breach.

According to CyberResilience.com, attackers reportedly breached the network as early as February 2025, stealing credential databases and expanding their foothold for weeks before deploying the “DragonForce” ransomware payload on April 24. 

The financial impact of the attack has been substantial with M&S today reporting an estimate of £300 million of losses operating profits, and disruptions are expected to be ongoing until July.

The company is said to have been 'working extensively' with cybersecurity experts and regulatory bodies to manage and contain the threat. 

The arrest in Walsall highlights the growing concern over the involvement of young individuals in cybercrime activities. 

A spokesperson for West Midlands Police said the NCA is leading the investigation.