Four Hackers Arrested by UK Police for Attacks on M&S, Co-op and Harrods Stores

The National Crime Agency (NCA) has made significant progress in combating retail cybercrime with the arrest of four individuals suspected of orchestrating sophisticated cyber attacks against major UK retailers. 

The coordinated operation, conducted on July 10, 2025, targeted a cybercriminal group allegedly responsible for breaching the digital infrastructure of Marks & Spencer, Co-op, and Harrods in April 2025. 

This case highlights the growing threat of organized cybercrime against retail establishments and demonstrates law enforcement’s enhanced capabilities in digital forensics and threat attribution.

Key Takeaways
1. Four suspects aged 17-20 arrested by the NCA in the West Midlands and London for April cyber attacks on M&S, Co-op, and Harrods.
2. Digital devices confiscated for forensic analysis under the Computer Misuse Act, blackmail, money laundering, and organized crime charges.
3. Breaches exploited ERP and payment system vulnerabilities, involving ransomware, data theft, and command-and-control infrastructure.
4. Authorities praised retailer cooperation and emphasized the importance of incident reporting and robust security measures.

UK Cybercrime Ring Dismantled

On July 10, 2025, NCA officers executed simultaneous arrests across the West Midlands and London, apprehending four suspects aged between 17 and 20 years. 

The suspects face charges under the Computer Misuse Act 1990, specifically sections relating to unauthorized access to computer systems and data modification. 

Additional charges include blackmail, money laundering, and participation in organized crime activities, indicating the sophisticated nature of the alleged operation.

The arrests involved comprehensive digital forensic analysis protocols, with investigators seizing multiple electronic devices, including laptops, smartphones, and storage media. 

Advanced forensic tools such as EnCase and Cellebrite technologies are likely being employed to recover deleted data, analyze network traffic logs, and reconstruct the attack vectors used against the retail giants. 

The NCA’s National Cyber Crime Unit has prioritized this investigation, deploying specialized analysts trained in Advanced Persistent Threat (APT) detection and attribution methodologies.

While specific technical details remain undisclosed, the targeting of M&S, Co-op, and Harrods suggests potential vulnerabilities in retail Enterprise Resource Planning (ERP) systems and customer payment processing infrastructure. 

Modern retail cyber attacks typically exploit SQL injection vulnerabilities, Cross-Site Scripting (XSS) flaws, or Remote Code Execution (RCE) exploits to gain initial network access.

The coordinated nature of these April attacks indicates possible deployment of Command and Control (C2) infrastructure, allowing attackers to maintain persistent access across multiple retail networks. 

Investigators are likely analyzing network packet captures and system event logs to identify indicators of compromise, such as unusual DNS queries, suspicious SSL certificate usage, and abnormal data transfer patterns. 

The involvement of blackmail charges suggests potential ransomware deployment or threats of data exfiltration involving sensitive customer information, including payment card data and personal identifiers.

Legal Implications 

Deputy Director Paul Foster emphasized the investigation’s ongoing nature, highlighting international cooperation aspects crucial for modern cybercrime prosecution. 

The charges under the Computer Misuse Act carry maximum sentences of 10 years imprisonment for unauthorized access with intent to commit further offenses, while the organized crime participation charges could result in additional penalties.

The retail sector’s cooperation with law enforcement demonstrates improved incident response protocols and adherence to GDPR Article 33 breach notification requirements. 

The NCA’s recommendation for victims to utilize the Government’s Cyber Incident Signposting Site reflects standardized reporting procedures essential for effective threat intelligence sharing.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now