Who are Scattered Spider? How the notorious hackers linked to M&S cyber attack work

M&S may have been hacked by a group of notorious cyber-criminals known as Scattered Spider, some of whom are believed to be English-speaking teenagers.

For more than a week, the British retailer has been unable to accept contactless payments and customers are also unable to shop online.

On Monday, Sky News reported that hundreds of agency workers at its main distribution centre were told to stay at home as M&S grappled with the attack.

Shoppers also complained of empty shelves around the country, as M&S confirmed there were "pockets of limited availability in some stores" as a result of measures to manage the cyber incident.

Who are Scattered Spider, the infamous group being linked to the attack?

"Scattered Spider is one of the most dangerous and active hacking groups we are monitoring," said Graeme Stewart, the head of public sector at security company Check Point.

"Since they first appeared in 2022, they have been linked to more than 100 targeted attacks across industries such as telecoms, finance, retail and gaming," he said.

In one of their most infamous hacks, members of the group locked up the networks of casino operators Caesars Entertainment and MGM Resorts International, and demanded hefty ransoms.

Caesars paid the hackers about $15m (£11.2m) to restore its network.

Who are the members of Scattered Spider?

"The group is made up of young, English-speaking individuals, mainly based in the UK and the US," said Mr Stewart.

Some members are believed to be as young as 16, with the group meeting up on hacker forums online.

The authorities have a hard time catching Scattered Spider members because they are just that: scattered.

"This is not a loose group of opportunistic hackers. They operate more like an organised criminal network, decentralised and adaptive.

"Even with several arrests made in the US and Europe, their structure allows them to regroup quickly."

Last month, an alleged Scattered Spider member was extradited to the US from Spain and charged with offences including wire fraud and aggravated identity theft.

How do they work?

The group often targets human vulnerabilities, according to Mr Stewart, rather than system flaws.

They use tactics like social engineering, where hackers trick people into letting them into systems, impersonating IT staff or SIM swapping.

SIM swapping attacks are where hackers trick phone providers into transferring a victim's phone service to a SIM card under the hacker's control.

Read more from Sky News:
Ransacked and looted: Sky reporter returns to family home in Sudan
Trump celebrates 100 days in office
Sixteen-year-old detained after three people killed in Sweden

This means the hacker can approve two-factor authentication and access the victim's private accounts as well as installing malware on certain devices.

"The attack on M&S appears to be heavily financially motivated and focused on making as much money as possible," said Jake Moore, global cybersecurity adviser at cybersecurity firm ESET.

"The gained notoriety focused on the brand - which is so entrenched in British culture and history - just places even more pressure on M&S to pay the growing demands."

What does M&S say?

Sky News contacted M&S which referred us to its previous statement.

"As part of our proactive management of a cyber incident, we have made the decision to pause taking orders via our M&S.com websites and apps.

"Our product range remains available to browse online. We are truly sorry for this inconvenience. Our stores are open to welcome customers.

"We informed customers that there was no need for them to take any action. That remains the case, and if the situation changes we will let them know."

(c) Sky News 2025: Who are Scattered Spider? How the notorious hackers linked to M&S cyber attack work