The UK Metropolitan Police has made two arrests in connection with a ransomware attack against the Kido nursery chain that escalated into the online harassment and doxing of children1. A 17-year-old boy and a 22-year-old man were taken into custody on October 7, 2025, at residential addresses in Bishop’s Stortford, Hertfordshire, on suspicion of computer misuse and blackmail3, 4, 6. This case highlights a disturbing evolution in ransomware tactics, where threat actors directly targeted and published the personal information of approximately 8,000 children after their initial extortion attempts failed.
Attack Timeline and Escalation
The ransomware group “Radiant” first contacted the BBC on September 22, 2025, to publicize their theft of sensitive data from the Kido nursery chain as part of an extortion attempt1, 9. The stolen data included photographs, names, home addresses, and family contact information for thousands of children, as well as data on parents, carers, and employees1, 5, 7, 8. The hackers initially demanded a ransom reported to be around £600,000 (approximately $800,000) in Bitcoin1, 9. When the company, following official advice, did not pay, the group escalated its tactics significantly. On September 25, they posted profiles of 10 children on their dark web site, publishing their names, photos, and addresses, and threatened to release more data1, 5, 9. In a further attempt to pressure Kido, the hackers then called parents directly on their mobile numbers to inform them about the breach, a move that intensified the psychological impact of the attack.
Unprecedented Reversal and Apology
Following significant public and expert condemnation, which was described by cyber experts as a “new low,” the hackers took an unusual step on October 21, 3, 6, 9. They removed all the stolen data and pictures from their darknet site, claiming to have deleted the files for all 8,000 children and stating, “No more remains and this can comfort parents.” In a message to a BBC cybercrime reporter, the group, Radiant, even apologized, saying, “We are sorry for hurting kids.”9 Prior to the full deletion, they had also blurred the images of the children, expressing concern about their reputation within the hacking community. This sequence of events represents a rare instance of threat actors publicly backtracking on their actions, though expert analysis suggests the motives were likely pragmatic rather than moral.
Expert Analysis on Motivations
Cybercrime experts suggested the reversal was driven more by risk management than morality. Jamie MacColl, a senior cybersecurity research fellow at the Royal United Services Institute, stated, “I wouldn’t give them too much credit… But there are some red lines, and this group crossed one of them.”9 He explained that while public outrage played a role, the more meaningful pressure likely came from within the hacker community itself, which did not want the increased scrutiny from Western law enforcement agencies that the high-profile case was attracting. The incident prompted activity among “gray hat” hackers and security experts, and MacColl noted that Russian cyber communities or even law enforcement may have applied pressure to stop the attack, indicating that even illicit communities have operational security concerns that can influence their behavior.
Technical Infrastructure and Third-Party Risk
Kido International confirmed it had “identified and responded to a cyber incident,” worked with external specialists, and “swiftly informed both our families and the relevant authorities.”1, 9 A critical detail emerged regarding the data’s origin: the stolen children’s data had been hosted by a third-party software service called Famly, which is used by nurseries to share information with parents. Famly’s CEO, Anders Laustsen, confirmed that “there has been no breach of Famly’s security or infrastructure in any way.”3 This clarification points towards a compromise of Kido’s specific implementation or access credentials to the Famly service, rather than a vulnerability in the Famly platform itself, highlighting the persistent security challenges associated with third-party software integrations and supply chain attacks.
Official Responses and Broader Implications
Will Lyne, the Met’s Head of Economic and Cybercrime, stated the arrests were a “significant step forward” and that the force understands the “considerable concern” for affected families1, 3, 6. Jonathon Ellison, NCSC Director for National Resilience, described the incident as “deeply distressing” and noted that targeting those who look after children is a “particularly egregious act.”3, 8 This case is also part of a growing trend of young suspects being linked to high-profile cyberattacks in the UK. Recent arrests have involved teenagers accused of attacks on major companies such as Marks & Spencer, Co-op, Harrods, Jaguar Land Rover, and Transport for London3, 9, suggesting a shift in the demographic profile of threat actors involved in significant cybercrime.
Security Implications and Recommendations
The Kido attack demonstrates a tactical shift where ransomware operators are willing to weaponize stolen data far beyond simple encryption and financial extortion. The direct harassment of victims and the publication of sensitive personal information, especially concerning children, marks a dangerous escalation. For organizations holding sensitive data, this incident reinforces the necessity of robust data classification and access controls. Strict adherence to the principle of least privilege for third-party software integrations is critical. Monitoring for the exposure of corporate credentials on underground forums and implementing mandatory multi-factor authentication for all administrative access, particularly for systems handling highly sensitive data, can mitigate the risk of initial access via compromised credentials. Furthermore, having a tested communication and incident response plan for engaging with affected individuals is essential when dealing with data extortion.
The arrests of a 17-year-old and a 22-year-old in the Kido nursery attack underscore the evolving and increasingly aggressive nature of the cybercrime landscape. While the unusual apology and data deletion by the Radiant group provided some relief, expert analysis indicates it was likely a calculated move to reduce operational risk rather than an act of contrition. This case serves as a stark reminder of the human impact of data breaches and the critical importance of securing sensitive information against threats that are not only financially motivated but also willing to cause direct personal harm. The involvement of young suspects continues a worrying trend that demands attention from both law enforcement and the security community.
