Community

Marks & Spencer hit by disruptive cyberattack amid Tyler Buchanan extradition

Saturday, 3 May 2025 1:13AM UTC

M&S faces ongoing IT disruptions and market losses following a cyberattack linked to the Scattered Spider group, coinciding with the extradition of accused ringleader Tyler Buchanan to the US. The incident highlights rising threats from coordinated cybercriminal networks targeting retailers globally.

Marks & Spencer (M&S) has found itself in the midst of a significant cyber crisis following a serious hack that has disrupted its IT systems and led to a substantial decline in market value. The attack resulted in an interruption of online sales for more than a week, causing ongoing concerns within the retail sector. The incident coincides with the extradition of Tyler Buchanan, a 23-year-old alleged ringleader of the cybercriminal group known as Scattered Spider, to the United States.

Buchanan was apprehended in Spain after spending ten months awaiting extradition on various charges related to his activities within Scattered Spider. This group has been linked to numerous high-profile attacks on companies across multiple countries, including the UK, the US, Canada, and India during 2022. M&S has maintained a cautionary silence regarding the specifics of the hack and the demands made for the restoration of its compromised systems, but experts suggest that ransomware is likely a component of the attack strategy.

According to sources such as the Daily Mail, a hacking group named DragonForce has claimed credit for the attack on M&S alongside similar operations targeting Co-op and Harrods. While DragonForce did not explicitly mention Scattered Spider, cybersecurity experts have suggested that both groups could be working in collaboration, heightening the threat level posed to retailers.

Tyler Buchanan's role in Scattered Spider, described as a team captain rather than a singular mastermind, highlights the youthful profile of many cybercriminals engaging in these activities. His arrest last summer was facilitated by the FBI after he was discovered to be in control of over $26 million (£20 million) in Bitcoin, raising concerns about the methods employed by such networks. Authorities identified phishing techniques and “SIM swapping” as common tactics, designed to exploit human vulnerabilities and obtain sensitive information.

Detailed investigations revealed that Buchanan had previously registered a fraudulent website linked to his online activities but had apparently neglected to conceal his actual internet address, making his identification easier for law enforcement. Following subsequent raids in Scotland, a multitude of digital devices was seized. The evidence gathered included sensitive usernames and passwords from targeted firms.

The cyber ecosystem that encompasses Scattered Spider is characterised by a ‘toxic behaviour’ among its ranks, as described by cyber analysts. The group is reportedly intertwined with a larger community known as The Com, notorious for encouraging exploitative practices among young and impressionable individuals. This wider network has raised alarms regarding the manipulation of minors into participating in adult criminal activities.

The repercussions of these cyber raids extend beyond financial losses, with companies like MGM Resorts International and Caesars Entertainment suffering massive disruptions and financial penalties following similar attacks attributed to Scattered Spider. Industry experts estimate the losses from these cybersecurity breaches to be significant, with MGM reportedly facing around $100 million in damages.

As investigations continue, M&S is collaborating with various cybersecurity agencies, including CrowdStrike and the UK's National Cyber Security Centre. Graeme Stewart, head of public sector at Check Point, has alerted other retailers to the importance of maintaining robust security measures, stressing that the repercussions of such attacks resonate widely in a digitally dependent society.

As the legal proceedings against Tyler Buchanan progress in California, his defence lawyer, Sara Azari, has underscored his right to the presumption of innocence, distanced him from the M&S attack, and characterised him as ‘the sweetest kid’. The unfolding narrative reflects not only one individual's alleged criminal activities but also highlights the emerging patterns and processes within the increasingly complex world of cybercrime.

Source: Noah Wire Services

More on this

https://www.itv.com/news/2024-05-18/m-and-s-website-and-app-down-as-retailer-apologises-to-customers - This article reports on Marks & Spencer's website and app being temporarily offline due to technical issues, with the retailer apologizing to customers for the inconvenience caused.
https://www.ibtimes.co.uk/marks-spencer-says-site-was-not-hacked-admits-data-breach-1526236 - This report details Marks & Spencer's admission of a data breach caused by a technical issue, leading to the temporary suspension of their website.
https://www.thehackernews.com/2024/06/uk-hacker-linked-to-notorious-scattered.html - This article discusses the arrest of a 22-year-old British national in Spain, linked to the Scattered Spider cybercrime group, highlighting the group's involvement in high-profile ransomware attacks.
https://www.bleepingcomputer.com/news/legal/alleged-scattered-spider-sim-swapper-arrested-in-spain/ - This piece covers the arrest of a 22-year-old British national in Spain, suspected of being a leader in the Scattered Spider hacking group, and details the group's methods, including SIM swapping.
https://www.govinfosecurity.com/spanish-police-bust-alleged-leader-of-scattered-spider-a-25536 - This article reports on the arrest of a 22-year-old British national in Spain, alleged to be the leader of the Scattered Spider group, and discusses the group's activities, including SIM swapping and phishing attacks.
https://www.itpro.com/security/cyber-crime/alleged-scattered-spider-ringleader-taken-down-in-spain-after-law-enforcement-crackdown - This report details the arrest of a 22-year-old British national in Spain, suspected of being a prominent figure in the Scattered Spider hacking group, and discusses the group's involvement in various cyber attacks.
https://www.dailymail.co.uk/news/article-14672725/The-shocking-truth-baby-faced-British-ringleader-shadowy-international-criminal-network-Scattered-Spider-experts-believe-devastating-M-S-hack.html?ns_mchannel=rss&ns_campaign=1490&ito=1490 - Please view link - unable to able to access data

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 7

Notes: The narrative references Tyler Buchanan's recent extradition and ongoing legal proceedings, aligning with current events. However, specifics like the M&S hack's timeline are undated in the narrative, and DragonForce's claims lack independent verification. Press release freshness is indeterminable without access to related materials.

Quotes check

Score: 5

Notes: Direct quotes (e.g., Sara Azari's 'sweetest kid' remark) lack verifiable timestamps or primary sourcing. The Daily Mail is cited for DragonForce's claims, but original attribution is absent, reducing traceability.

Source reliability

Score: 6

Notes: The narrative originates from the Daily Mail, which lacks the rigour of outlets like Reuters but references expert opinions (e.g., Check Point's Graeme Stewart). Cybersecurity agencies like NCSC are cited, adding credibility, but reliance on unnamed sources lowers confidence.

Plausability check

Score: 8

Notes: Claims align with known cybercriminal tactics (phishing, SIM swapping) and Scattered Spider's documented activities. Collaboration with groups like DragonForce is plausible given industry trends, though unverified. Financial loss estimates (e.g., MGM's $100M) match prior breach patterns.

Overall assessment

Verdict (FAIL, OPEN, PASS): OPEN

Confidence (LOW, MEDIUM, HIGH): MEDIUM

Summary: While the narrative aligns with credible cybercrime patterns and references recent events, reliance on non-primary sources and undated claims introduces uncertainty. Collaboration allegations between DragonForce and Scattered Spider remain unverified, warranting further scrutiny.

Marks & Spencer
cybersecurity
Scattered Spider
ransomware
cybercrime
Tyler Buchanan