Hackers Now Targeting US Retailers After UK Attacks, Google

Hackers from the Scattered Spider group, known for UK retail attacks, are now targeting US retailers, Google cybersecurity experts have warned.

The notorious cybercriminal group Scattered Spider is now actively targeting retail companies in the United States, following a string of disruptive attacks against similar businesses in the United Kingdom.

This warning comes directly from cybersecurity experts at Google Threat Intelligence Group (GTIG) and Google subsidiary Mandiant, who highlight the group’s effectiveness at bypassing even strong security measures.

“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” John Hultquist, Google’s cybersecurity analyst, stated.

It is worth noting that Scattered Spider (aka UNC3944) is the primary suspect in the recent attacks on UK retain giants Harrods, Co-op, and M&S, but UK’s National Cyber Security Centre (NCSC), Mandiant and Google have not formally attributed them to any specific actor as yet. However, GTIG researchers suggest that the hackers targeting US retailers share similar techniques and procedures as the culprits behind the British incidents.

Researchers noted a possible link between DragonForce ransomware operators and Scattered Spider. The former took responsibility for attempted recent attacks on several UK retailers, using tactics similar to Scattered Spider. Moreover, both were associated with the now-defunct RaaS platform RansomHub.

However, GTIG could not confirm the link between UNC3944/DragonForce and rising retail data leaks. Still, the increasing presence of retail victims on data leak sites (11% in 2025, up from previous years) suggests that threat actors find this sector attractive due to large PII/financial data holdings and their willingness to pay ransom to maintain transaction processing.

As per Hackread.com’s past reporting, Scattered Spider is a financially motivated threat actor known for using social engineering techniques. They gained notoriety for hacking casino giants MGM Resorts International and Caesars Entertainment in 2023. They initially targeted telecommunications companies for SIM swapping and later started deploying ransomware to extort victims.

They are also known for phishing attempts and MFA bombing, where they bombard targets with multi-factor authentication requests. Typically, UNC3944 goes after established enterprises, specifically organizations with large help desks and outsourced IT departments, as these are more vulnerable to their sophisticated social engineering techniques.

GTIG’s analysis reveals that since early 2023 UNC3944 has targeted a diverse range of sectors, including Technology, Telecommunications, Financial Services, Business Process Outsourcing (BPO), Gaming, Hospitality, Retail, and Media & Entertainment organizations. Geographically, their primary targets have been even more diverse, including the US, Canada, the UK, Australia, Singapore and India.

The Retail & Hospitality ISAC, an information-sharing group that includes major players like Albertsons, Costco, McDonald’s, and Lowe’s, has acknowledged the threat and is working with Google to provide its members with detailed briefings and guidance on how to strengthen their defences against this evolving threat. The warning from Google serves as a clear signal for US retailers to be on high alert and to review their security protocols.

Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform:

“Scattered Spider (UNC3944) uses sophisticated social engineering to infiltrate and deploy ransomware. To defend against this group, secure privileged accounts, implement phishing-resistant MFA, and verify every help-desk identity request.“

“Retailers are particularly vulnerable, as they handle large amounts of payment data, manage intricate supply chains, and operate under significant uptime pressure that often encourages ransom payments,“ Chad warned. “However, organizations with valuable data and critical availability needs are equally at risk.“