4. Scattered Spider retail attacks
When: April-May
What happened?
Everyone’s favourite arachnid-themed hacking group dominates this rundown.
As well as being behind three major retail attacks featured, the cybercriminal community itself was also nominated by four panellists who felt unable to specify an individual incident.
Who nominated it, and why?

Cybaverse CTO Juliette Hudson, CyXcel Co-founder and COO Jano Bermudes, Bridewell Cyber Threat Intelligence Principal Lead Gavin Knapp and Quorum Cyber CEO/Chief Threat Officer pairing Federico Charosky and Paul Caiazzo all put Scattered Spider on their hitlists.
Invited to justify her choice, Hudson claimed that the group’s native English-speaking background makes them unique.
“Scattered Spider’s advanced social engineering, leveraging native English-speaking hackers to exploit IT help desks via phishing and MFA fatigue, showcased their audacity,” she said.
“Their decentralised structure, using platforms like Discord, makes them hard to stop, even after arrests like Tyler Buchanan’s in 2024. Targeting iconic UK retailers and boasting to the BBC amplified their notoriety.”
“These attacks displayed the consequences a cyber-attack can have on real people in the real world, and also the resilience and preparedness organisations across sectors and regions need to build and maintain to withstand a focused adversary,” Quorum Cyber’s Federico Charosky and Paul Caiazzo stated.
“And Scattered Spider is still around – they’ve just shifted their victimology from retail and hospitality to insurance. Be prepared.”
Channel takeaway:
Bridewell’s Knapp said he took several learnings away from this spate of attacks.
“The social engineering approaches used by the group to target/impersonate helpdesk and obtain privileged user accounts were very effective,” he said.
“The reports also suggest that compromised third-party accounts may have also been used in the attack, outlining the importance of robust identity-based processes and controls are in place including phishing resistant MFA, and well rehearsed and security tested processes for resetting passwords or MFA.”
Despite the eye-watering losses it sustained via this attack, M&S “stands out for the transparency with which they handled the incident”, Quorum Cyber’s Federico Charosky and Paul Caiazzo said, meanwhile.
“By sharing their experience, other organisations can be better prepared to withstand similar attacks,” they said.
Three cyber-attacks were considered more significant by our leadership panel. See next page for more…