By Robert McMillan

The hacking group that once shut down half the Las Vegas Strip has returned and is causing turmoil at U.K. retailers.

The hackers call themselves Star Fraud but are more widely known as Scattered Spider, a collective of largely young men and teenagers that have wreaked havoc across industries in recent years.

U.K. retailers Harrods, Marks & Spencer and Co-op have all reported cyber intrusions in the past two weeks. Scattered Spider hasn't been publicly named as the culprit of the hacks, but is suspected in at least some of them, according to people familiar with the investigation.

The attacks bear all the hallmarks of Scattered Spider attacks, disrupting online sales and certain payments and leading to the theft of customer data. The stores have remained open.

The group's hackers "typically work their way through a sector, so other retailers should take the opportunity to harden their defenses," said John Hultquist, chief analyst with Google's Mandiant cybersecurity investigations group.

Scattered Spider represents a new kind of cyber threat. Often, the hackers will use a variety of techniques to enter and then move about within corporate networks. Then, they find ways to steal data or lock up workstations with special software, grinding corporate operations to a halt and demanding millions of dollars in extortion payments, according to security researchers.

They have also been known to take unusual steps once they have broken in. This includes posting offensive phrases and eggplant emojis in group discussions or even logging into incident response meetings relating to their own hacks. They have made unusual demands related to business operations and even called family members of executives at companies they have hacked, researchers say.

In November, U.S. authorities announced the arrest of five hackers, who researchers have linked to the Scattered Spider gang, saying that they had been operating since at least 2022 and targeted at least 45 companies in the U.S., the U.K., Canada and India.

After those arrests, the group seemed to go silent, according to Google and other firms that investigate cyber intrusions.

Scattered Spider is proving to be more resilient than some investigators had imagined, Hultquist said. "Obviously what we're doing isn't working, " he said. "It's gone on for far too long." Last week, Google sent out a note advising customers on how to protect themselves from Scattered Spider, according to a copy viewed by The Wall Street Journal.

On Sunday, the National Cyber Security Centre, part of the U.K.'s intelligence agency, said it was working with affected retailers and issued new guidance on how companies can protect themselves from attacks. The NCSC said it was trying to understand "if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all."

A Harrods spokeswoman said on Monday that the company had not heard from the hackers in its cyber incident. Co-op said its hackers stole a significant amount of data from the company, including customer names and contact information. As of Monday, Marks & Spencer has paused processing of online orders for 10 days because of a cyberattack, the company said.

Scattered Spider is one branch of a community of online hackers, known as the Com, who cut their teeth cheating in videogames and taking over game and social-media accounts. Nearly a decade ago, they began stealing cryptocurrency and over the past five years they have made dozens of corporate intrusions.

Because they are often native English speakers, Com hackers are very good at breaking into companies by pretending to be remote users locked out of their corporate accounts, a technique known as social engineering.

In its guidance, the U.K. cybersecurity agency urged companies to be careful about protecting logins and reviewing the way corporate help desks reset user passwords.

The attacks are worrying because of the economic damage attributed to Scattered Spider. In the Las Vegas case, the hack cost MGM Resorts about $110 million, which was covered by cyber insurance.

Write to Robert McMillan at robert.mcmillan@wsj.com

(END) Dow Jones Newswires

May 05, 2025 23:00 ET (03:00 GMT)

Copyright (c) 2025 Dow Jones & Company, Inc.