NCA arrests four in connection with UK retail ransomware attacks
(2025/07/10)
- Reference: 1752147195
- News link: https://www.theregister.co.uk/2025/07/10/nca_arrests_four_in_connection/
- Source link:
The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved with the big three cyberattacks on UK retail businesses in recent weeks.
The agency confirmed it arrested all four in their homes this morning. The suspects included two young men from the West Midlands, a Brit aged 17 and a Latvian national aged 19; one 19-year-old British man from London; and a British woman aged 20 from Staffordshire.
Senior officials at the NCA said the four individuals are thought to be involved in [1]all three retail attacks on M&S, Co-op, and Harrods.
[2]
Details about the quartet and their identities are being kept largely under wraps by officers for various reasons, including affording them a right to a fair trial, safeguarding concerns, and for other matters which are not reportable at this time.
[3]
[4]
The NCA noted:
"There has been speculation around the identities of those suspected to be behind these attacks. It is important to note that we are unable to identify (name) those arrested today, as they are yet to be charged or convicted with any offences. This investigation remains at an early stage and it is important these individuals' right to a fair trial is protected.
[5]
"Their home addresses have been omitted and the location of arrests has been left intentionally limited. We are unable to be more specific on locations at this stage, as there are a number of significant safeguarding concerns in relation to those arrested that the NCA and partners are required to manage."
NCA officers arrested the four individuals in the early hours of the morning on June 10, and said they have seized the quartet's electronic devices, which will be forensically analyzed for additional evidence.
They remain in custody for police questioning, and the NCA was unable to confirm for how long they will be held.
[6]
All four were charged with offences under the [7]Computer Misuse Act , and for alleged offences related to blackmail, money laundering, and participating in the activities of an organized crime group.
[8]Experts count staggering costs incurred by UK retail amid cyberattack hell
[9]M&S online ordering system operational 46 days after cyber shutdown
[10]British govt agents step in as Harrods becomes third mega retailer under cyberattack
[11]Marks & Spencer admits cybercrooks made off with customer info
Deputy director Paul Foster, head of the NCA's National Cyber Crime Unit, said: "Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency's highest priorities.
"Today's arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.
"Cyberattacks can be hugely disruptive for businesses, and I'd like to thank M&S, Co-op, and Harrods for their support to our investigations. Hopefully, this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help."
Officials said they also wished to thank the three victims and local police forces tasked with the arrests for their cooperation that led to today's operational activity. ®
Get our [12]Tech Resources
[1] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2022/02/08/labour_computer_misuse_act_reform_questions/
[8] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[9] https://www.theregister.com/2025/06/10/ms_resumes_online_orders_46/
[10] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[11] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
[12] https://whitepapers.theregister.com/
The agency confirmed it arrested all four in their homes this morning. The suspects included two young men from the West Midlands, a Brit aged 17 and a Latvian national aged 19; one 19-year-old British man from London; and a British woman aged 20 from Staffordshire.
Senior officials at the NCA said the four individuals are thought to be involved in [1]all three retail attacks on M&S, Co-op, and Harrods.
[2]
Details about the quartet and their identities are being kept largely under wraps by officers for various reasons, including affording them a right to a fair trial, safeguarding concerns, and for other matters which are not reportable at this time.
[3]
[4]
The NCA noted:
"There has been speculation around the identities of those suspected to be behind these attacks. It is important to note that we are unable to identify (name) those arrested today, as they are yet to be charged or convicted with any offences. This investigation remains at an early stage and it is important these individuals' right to a fair trial is protected.
[5]
"Their home addresses have been omitted and the location of arrests has been left intentionally limited. We are unable to be more specific on locations at this stage, as there are a number of significant safeguarding concerns in relation to those arrested that the NCA and partners are required to manage."
NCA officers arrested the four individuals in the early hours of the morning on June 10, and said they have seized the quartet's electronic devices, which will be forensically analyzed for additional evidence.
They remain in custody for police questioning, and the NCA was unable to confirm for how long they will be held.
[6]
All four were charged with offences under the [7]Computer Misuse Act , and for alleged offences related to blackmail, money laundering, and participating in the activities of an organized crime group.
[8]Experts count staggering costs incurred by UK retail amid cyberattack hell
[9]M&S online ordering system operational 46 days after cyber shutdown
[10]British govt agents step in as Harrods becomes third mega retailer under cyberattack
[11]Marks & Spencer admits cybercrooks made off with customer info
Deputy director Paul Foster, head of the NCA's National Cyber Crime Unit, said: "Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency's highest priorities.
"Today's arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.
"Cyberattacks can be hugely disruptive for businesses, and I'd like to thank M&S, Co-op, and Harrods for their support to our investigations. Hopefully, this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help."
Officials said they also wished to thank the three victims and local police forces tasked with the arrests for their cooperation that led to today's operational activity. ®
Get our [12]Tech Resources
[1] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aG_jljUqSuU4e1E_5JKOsQAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2022/02/08/labour_computer_misuse_act_reform_questions/
[8] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[9] https://www.theregister.com/2025/06/10/ms_resumes_online_orders_46/
[10] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[11] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
[12] https://whitepapers.theregister.com/
Sorry to be pain, but how in hell, these days, is this sort of thing possible? We all know about ransomware attacks. We all know we might be forced into a bare-metal restore of some or all of our systems. How is it possible that these sort of attacks can cause the sort of disruption they do?
Of course proper, real-time, bare-metal-restore-ready backups are a pain: they're expensive, they potentially force users into ways of working they may prefer not to have to cope with, and so on. But if the alternative is that your business loses £300m+, that's a pretty small price to pay.