The criminal gang that claims to be behind hacks on Marks & Spencer, the Co-op and Harrods is also targeting American retailers and is likely to have links to the people who attacked MGM Resorts International and Caesars Entertainment casinos in 2023, a Google security researcher said.

“Major American retailers have already been targeted,” Google Threat Intelligence Group chief analyst John Hultquist told NBC News.

The US National Retail Federation acknowledged the threat, saying US retailers were “aware” of the UK attacks and had “taken steps to harden themselves against these criminal groups’ tactics over the past two years”.

Russian-speaking hackers

Hultquist said that similarities between the UK retail attacks and those targeting US casinos in 2023 mean that there is likely to be a direct link between the crimes.

The group behind the casino hacks, made up mostly of English-speaking teens and known as Scattered Spider and other names, worked with Russian-speaking hacking service providers on those hacks.

Hultquist said it appears likely that some of the people involved in the earlier attack waves were behind the UK retail cyber-heists, possibly some of the Russian-speaking hacking service providers.

The English-speaking Scattered Spider hackers are believed to have worked with a ransomware-as-a-service group known as AlphV, BlackCat or Noberus.

The group disappeared in March 2024 after receiving a $22 million (£16.5m) payment from dominant US healthcare payments provider Change Healthcare, which it had hacked, absconding with the funds without paying its affiliate.

While Hultquist suggested members of the Russian-speaking AlphV/BlackCat group were involved in the M&S and Co-op hacks, other researchers have said the link involved members of the English-speaking Scattered Spider group.

Casino hacks

What many researchers have agreed on is that there are strong similarities in methodology between the recent hacks and the MGM/Caesars incidents in 2023.

The MGM/Caesars hackers aggressively targeted one specific industry sector before moving on to another.

The group shifted to financial services in May 2024 and most recently targeting a large number of customers of US corporate cloud data platform Snowflake, including AT&T and others.

As with M&S and the Co-op, MGM casinos faced significant disruption after their systems were hacked, with some floors of casinos shut down and guests left unable to access their rooms via keycards.

Caesars paid millions to the hackers and faced little disruption.

Police have arrested several people allegedly part of Scattered Spider, the English-speaking portion of those operations, including two Americans and two British men.

Arrests

The alleged leader of Scattered Spider, UK citizen Tyler Buchanan, was arrested in Spain in June 2024 while attempting to board a flight to Italy, with Spanish police alleging he had in his possession Bitcoin worth $27m.

Noah Michael Urban was arrested in Florida 2024 for the cumulative theft of about $800,000 in cryptocurrency.

West Midlands Police aided the FBI in the arrest of a 17-year-old juvenile in Walsall in July of last year in connection with the casino hacks.

Remington Ogletree, 19, was arrested in California in November of 2024 on charges related to his alleged involvement in the group.