Scattered Spider Hackers Target UK and US Retailers, Google Warns

UK-based members of the notorious cybercriminal community Scattered Spider are actively facilitating cyberattacks on major retailers in the UK and the US, according to Google’s cybersecurity division. The hacking group, already linked to recent breaches at Marks & Spencer, Co-op, and Harrods, is now targeting US retail companies with sophisticated ransomware and extortion tactics.

Google’s Mandiant cybersecurity unit has confirmed the shift in activity. “They start in the UK and now they’ve shifted to US organisations,” said Charles Carmakal, Chief Technology Officer at Mandiant. “They tend to focus on a particular industry sector and geography for a few weeks and then move on.”

The UK’s National Cyber Security Centre (NCSC) has issued an advisory, warning companies to review how their IT help desks handle password resets—one of the key techniques used by Scattered Spider. Hackers impersonate employees or contractors over the phone to trick IT staff into granting system access.

“It’s not always the core threat actors themselves making the calls,” Carmakal explained. “They often outsource this task to younger individuals on platforms like Telegram and Discord who are paid to help gain initial access.”

Unlike most ransomware gangs—typically operating from Russia or former Soviet countries—Scattered Spider is composed of native English speakers from the UK, US, and Canada. This makes their social engineering tactics more convincing and harder to detect.

Cybersecurity experts from Google’s Threat Intelligence Group further revealed that the group has resumed activity after a hiatus and is now aggressively targeting the US retail sector. “We suspect current ransomware and extortion operations in the US are linked to Scattered Spider,” said John Hultquist, Chief Analyst at Google.

In a related development, French luxury brand Dior confirmed this week that an “unauthorised external party” accessed customer data. Though the extent of the breach remains unknown, Dior stated that no payment information was compromised.

With the rising frequency of retail-targeted cyberattacks, Google and UK authorities are urging businesses on both sides of the Atlantic to tighten their cybersecurity protocols and remain vigilant.