Four individuals—three men and one woman aged between 17 and 20—were arrested in London and the Midlands on July 10, 2025, in connection with cyberattacks targeting major UK retailers Marks & Spencer (M&S), Co-op Group, and Harrods. The arrests, made by the National Crime Agency (NCA), follow months of disruption caused by ransomware attacks linked to the group DragonForce. Suspects face charges under the Computer Misuse Act, alongside allegations of blackmail, money laundering, and involvement in an organized crime group1.
Attack Methodology and Technical Details
The attackers exploited vulnerabilities in VMware ESXi servers, using tools like Cobalt Strike for lateral movement and Mimikatz for credential harvesting2. The ransomware campaign disrupted operations at M&S and Co-op, halting online orders and causing payment system failures. M&S reported a data breach exposing customer names, contact details, and order histories, though payment data remained secure. Co-op suffered a more severe breach, with 20 million members’ emails and birth dates leaked3.
The financial impact has been significant. M&S estimates losses of £300 million, with full recovery expected by late July 2025. Co-op faced prolonged operational chaos, including empty shelves and payment outages lasting weeks4. The attacks highlight systemic weaknesses in third-party vendor security and incident response planning, particularly in the retail sector.
Relevance to Security Professionals
For defensive teams, the incident underscores the need for robust monitoring of ESXi servers and proactive detection of Cobalt Strike activity. Indicators of compromise (IoCs) associated with DragonForce include specific Malleable C2 profiles and DNS-over-HTTPS (DoH) tunneling patterns2. Red teams can study the attackers’ tactics, such as leveraging Mimikatz for privilege escalation, to refine adversary emulation scenarios.
Mitigation strategies include:
- Patching VMware ESXi servers (CVE-2024-22250, CVE-2024-22252)
- Restricting Cobalt Strike beacon traffic through network segmentation
- Implementing credential guard to block Mimikatz-based attacks
Conclusion
The arrests mark a significant development in a high-profile case that exposed critical vulnerabilities in retail cybersecurity. While law enforcement action disrupts this specific threat actor, the broader risk of ransomware attacks persists. Organizations must prioritize vendor risk assessments and tabletop exercises to prepare for similar incidents. The NCA and NCSC continue to collaborate with affected firms to improve reporting mechanisms and resilience5.
References
- “UK police arrest four in connection with M&S, Co-op cyberattacks,” Reuters, Jul. 10, 2025.
- “UK arrests four over ransomware attacks on M&S, Harrods, Co-op,” The Record, Jul. 10, 2025.
- “M&S, Co-op, Harrods hit by hackers: What you need to know,” Equilibrium Security, Jul. 9, 2025.
- “Woman and three teenagers arrested over M&S, Co-op and Harrods cyber-attacks,” Sky News, Jul. 10, 2025.
- “Marks and Spencer says cyber attack likely to cost £300m and last till July,” ITV News, May 21, 2025.
