Scattered Spider Resurfaces in U.S. Retail Attacks, Echoing High-Profile U.K. Intrusions

A cybercrime group with a flair for deception and a history of major disruptions is once again on the move—this time zeroing in on U.S. retailers. Researchers from Google’s Threat Intelligence Group and its subsidiary Mandiant warn that a wave of social engineering attacks hitting American retail targets bears the fingerprints of a notorious actor: Scattered Spider, also known as UNC3944 or Oktapus.

The group, infamous for its role in last year’s MGM Resorts breach, has resurfaced after a lull, pivoting its focus from the U.K.—where recent attacks have rocked Harrods, Marks & Spencer (M&S), and Co-op—to high-value U.S. retail organizations. While Google and Mandiant stopped short of naming Scattered Spider as the definitive perpetrator, the playbook matches almost perfectly.

“The actor, which has reportedly targeted retail in the U.K. following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. U.S. retailers should take note,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group.

These new incursions use sophisticated social engineering tactics, including impersonation phone calls to IT help desks to trigger password resets—a tactic previously linked to the group's operations. Charles Carmakal, CTO of Mandiant Consulting, confirmed the attackers have successfully breached some U.S. companies by deceiving employees over the phone, though he declined to name victims.

Kroll, another incident response firm, has independently verified that it is responding to retail sector breaches showing the same hallmarks. “Kroll is actively working with clients in the retail sector to defend against attacks that match patterns of activity and indicators that match the actor we track as KTA243,” said Keith Wojcieszek, Kroll’s managing director of global threat intelligence.

Behind the attacks is a style that blends technical cunning with raw manipulation. Scattered Spider, often composed of young English-speaking hackers from the U.S. and U.K., has long exploited human error over brute-force hacking. Its approach relies on tricking insiders, not bypassing firewalls.

The group’s comeback in the U.K. was felt deeply. M&S confirmed earlier this week that customer data had been accessed in the attack, though payment information remained protected. Meanwhile, Co-op suffered a systemwide disruption that caused inventory shortages across its 2,300 locations. The retailer is only now beginning a controlled systems restoration and plans to resume delivery of fresh goods this weekend.

Attributing the incidents hasn’t been simple. While similarities abound, British authorities have yet to pin down the exact method of entry, and a competing claim from ransomware-as-a-service group DragonForce further muddies the waters. DragonForce recently adopted a cartel model, offering its tools to affiliates, making it difficult to distinguish between core operators and contractors.

Adding further weight to the attribution tangle, Palo Alto Networks has observed a rise in similar threat behavior it tracks under the alias Muddled Libra. “Despite recent arrests of individuals tied to Muddled Libra or Scattered Spider, we expect that the techniques they pioneered will continue to be actively used and adapted,” said Sam Rubin, SVP of consulting and threat intelligence at Unit 42. “Proven effective social engineering methods like these are routinely recycled, refined, and re-deployed by threat actors looking to exploit human and system vulnerabilities.”

Security leaders are warning the retail sector not to underestimate the risks posed by these human-driven attacks.

“Social engineering attacks are evolving rapidly – fueled by current events, AI-generated deepfakes, and increasingly convincing impersonation tactics,” said Jordan Avnaim, CISO at Entrust. “For U.S. retailers, topics like tariffs and global trade make ideal bait for threat actors. Defending against these risks requires more than perimeter controls – it demands continuous workforce education, Zero Trust principles, and identity verification that can’t be socially engineered. Security must be a standing board-level conversation, with ongoing investment in both technology and response readiness.”

The Retail & Hospitality ISAC confirmed it is tracking the situation closely and is working with Google to brief member companies on threat intelligence and defenses.

As the cybersecurity community races to respond, one thing is clear: the next phase of cyberwarfare won't be fought solely with malware—it will be fought with manipulation, voice calls, and compromised trust. Retailers, both in the U.S. and abroad, are on notice.