SEO: Cybercriminals are using the recent power outages in Spain and Portugal to launch phishing attacks disguised as…

SEO: Cybercriminals are using the recent power outages in Spain and Portugal to launch phishing attacks disguised as TAP Air Portugal, aiming to steal personal and financial data.

Cybersecurity researchers at Cofense Intelligence recently uncovered a deceptive email campaign containing fraudulent messages designed to mimic official communications from TAP Air Portugal, the national airline of Portugal.

This particular scheme exploited a significant news event: the widespread power outage that affected both Spain and Portugal on April 28, 2025. It is worth noting that these malicious emails were distributed while the disruption was still ongoing. This timing suggests the perpetrators’ deliberate attempt to take advantage of the confusion and travel disruptions caused by the outage.

The fake email looked like a legitimate email from TAP Air Portugal claiming that people could receive money back for late or cancelled flights because of European air travel rules. The email also claimed the money would be deposited into their bank account within two days.

The email’s title prompted people to fill out a form for refunds, requiring victims’ personally identifiable information (PII), including names, addresses, contact details, and sensitive financial data. When clicked, users were directed to a fake webpage that appeared to be a form for refunds. However, when they clicked on the Submit button, nothing happened, and their sensitive personal and financial details were transferred to the attackers.

The Fake Email (Source: Cofense)

Cofense Intelligence’s analysis reveals that this campaign was not limited to a single language as the threat actors targeted both Portuguese-speaking and Spanish-speaking individuals. This was evident in the use of two distinct email subject lines.

For Portuguese speakers, the subject line read “Atualização de compensação: atraso em seu voo recente,” translating to “Compensation update: delay in your recent flight.” Simultaneously, Spanish-speaking targets received emails with the subject line “Compensación por su vuelo: Complete su solicitud ahora,” meaning “Compensation for your flight: Complete your request now.”

This multilingual approach underscores the broad scope and careful planning of this phishing attack, researchers noted in their blog post shared exclusively with Hackread.com.

Fake Refund Eligibility Form (Source: Cofense)

This campaign highlights how quickly cybercriminals can exploit real-world events, like the power outage in Spain and Portugal, to conduct phishing attacks. By impersonating a trusted airline and promising compensation, they aim to deceive users into revealing sensitive personal and financial data. Everyone must remain alert and carefully examine any unexpected emails, especially those requesting personal information or financial details.

Scammers Use Spain-Portugal Blackout for TAP Air Refund Phishing Scam

A misconfigured, non-password-protected database belonging to TicketToCash exposed data from 520,000 customers, including PII and partial financial details.…

A misconfigured, non-password-protected database belonging to TicketToCash exposed data from 520,000 customers, including PII and partial financial details.

Cybersecurity researcher Jeremiah Fowler recently discovered a 200GB openly accessible misconfigured database containing over 520,000 records. This exposed database belonged to customers of TicketToCash, a platform for reselling event tickets.

According to Fowler’s report, shared with Hackread.com, it isn’t just about names and email addresses; the data exposure includes partial credit card numbers and physical addresses linked to concert and event tickets.

Additionally, the exposed data included copies of tickets and documents containing Personally Identifiable Information (PII) such as names, email addresses, home addresses, and credit card numbers.

The database’s name suggested it held customer files in various digital formats like PDF, JPG, PNG, and JSON. When Fowler looked at some of these files, he saw many tickets for concerts and other live events, proof of ticket transfers between people, and screenshots of payment receipts that users had submitted. Some of these documents showed partial credit card numbers, full names, email addresses, and home addresses.

Ticket Details Exposed in the leak (Source: vpnMentor)

Internal clues within the files and folders indicated that the data belonged to TicketToCash, an online platform where people can sell their event tickets for concerts, sports games, and theatre shows. The company states that it lists tickets across a network of more than 1,000 other websites.

****TickettoCash Did Not Respond; Database Remained Exposed Until Second Alert****

What’s particularly troubling is the apparent lack of initial response from TicketToCash after being notified. According to Fowler’s investigation, “I immediately sent a responsible disclosure notice to TicketToCash.com, but I received no reply, and the database remained open.”

The database remained publicly accessible until a second notification was sent after which the company secured it, but the files remained exposed in the four days between Fowler’s first and second attempts.

Fowler warns that if this information somehow got into the wrong hands, it could be used for fraudulent purposes like phishing, identity theft, or the creation and resale of fake tickets. Fowler highlighted that “PII and financial details can be valid for years,” meaning the consequences of this leak could be long-lasting. That’s also why the Ticketmaster data breach received widespread media coverage.

He also referenced a 2023 report indicating that a significant percentage of people (11%) buying tickets from secondary markets have been scammed, and noted a dramatic 529%  increase in ticket scams in the UK “costing victims an average of £110 ($145 USD).”

It’s unclear whether TickettoCash directly owned and managed this database or if it was handled by a third-party contractor, how long it was exposed before Fowler found it, and if anyone else might have accessed the information during that time.

Nevertheless, Fowler’s findings highlight a critical responsibility for platforms handling sensitive user data, especially in high-value markets like event tickets. TicketToCash users must remain cautious of phishing attempts, monitor financial accounts, update passwords and switch to multi-factor authentication.

Ticket Resale Platform TicketToCash Left 200GB of User Data Exposed

US and Greek arrests expose 764 network’s global child abuse ring. Leaders face life for orchestrating violent exploitation…

US and Greek arrests expose 764 network’s global child abuse ring. Leaders face life for orchestrating violent exploitation through encrypted apps.

In what can be called one of the most extensive and disturbing cybercrime crackdowns in recent years, the United States and international authorities have arrested two leading figures behind the violent extremist network known as “764,” a group accused of creating a sadistic online operation targeting minors across multiple countries.

Leonidas Varagiannis, 21, an American living in Thessaloniki, Greece, and Prasan Nepal, 20, of North Carolina, were charged with leading an online child exploitation ring that authorities say lasted from 2020 to early 2025.

Both men are alleged to have directed an operation involving the production and distribution of child sexual abuse material (**CSAM**), psychological manipulation of minors, and violent online brainwashing through encrypted platforms.

Varagiannis, known online as “War,” was taken into custody this week in Greece. Nepal, who used the alias “Trippy,” was arrested on April 22 in North Carolina. Both await court proceedings in Washington, D.C., according to a Justice Department announcement made public today.

Federal prosecutors allege that the pair led a subgroup called “764 Inferno,” which operated behind encrypted messaging services. Within this network, victims, some as young as 13, were targeted, bullied, and forced into producing explicit and violent content, often involving **self-harm**. According to court documents, victims were made to carve symbols into their bodies and were sometimes directed to involve others in the abuse.

“This case is one of the most appalling examples of systemic exploitation we’ve ever faced,” said U.S. Attorney Edward R. Martin Jr. “The depth and breadth of what these individuals are accused of doing reflects a level of depravity that shocks the conscience.”

Digital “Lorebooks” compiled by the group contained not only CSAM but also graphic content involving gore and psychological abuse. These files were reportedly used as a form of currency within the 764 network to gain rank, recruit, and control.

The arrests are the latest development in an ongoing investigation that began drawing national attention late last year. In December 2024, **Baron Martin**, then 20, was arrested on charges of producing CSAM and cyberstalking. Martin, too, was linked to the 764 and CVLT networks. Authorities have stated that Martin’s arrest helped unravel the deeper layers of this disturbing online operation.

The FBI’s Washington and New York Field Offices led the investigation, with support from agents in Charlotte and the FBI’s Legal Attaché in Athens. The case is being prosecuted by a team from the US Attorney’s Office for the District of Columbia and the Department of Justice’s Counterterrorism Section.

If convicted, Varagiannis and Nepal face life in federal prison.

****Project Safe Childhood****

The arrests are part of **Project Safe Childhood**, a nationwide initiative launched by the Department of Justice in 2006 to combat online exploitation. Officials say that while these arrests mark a significant victory, they are continuing to pursue others involved in the network.

“These crimes are some of the darkest we’ve seen, but our work will continue until every victim has justice and every perpetrator is held accountable,” said Steven J. Jensen, Assistant Director in Charge of the FBI Washington Field Office.

For families and communities, this case is an example of how digital platforms can be manipulated for extreme harm. The charges remain allegations at this stage, and both defendants are presumed innocent until proven guilty in court.

More on this story as it develops.

Online Child Exploitation Network 764 Busted; 2 US Leaders Arrested

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.…

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign. Learn about the GRU-linked attacks, tactics, and previous incidents like the TV5Monde hack.

France has accused the Russian state-backed hacking group APT28, linked to Russia’s military intelligence agency GRU (Russian General Staff Main Intelligence Directorate), of targeting or compromising a dozen French government and other organizations.

Active since at least 2004 under names like BlueDelta, Fancy Bear, Forest Blizzard, Sednit, and Sofacy; APT28 typically targets government, military, energy, and media in Europe and the US.

Now, a report by the French cybersecurity agency ANSSI has attributed recent attacks on French local government, administration, defence, aerospace, research, finance, and think-tank organizations to APT28.

APT28’s Targets in France since 2021 (Source: ANSSI)

These attacks, primarily aimed at governmental, diplomatic, and research entities in 2024, utilized phishing, vulnerability exploitation, and brute-force attacks for initial access, often relying on inexpensive, outsourced infrastructure.

This infrastructure, as per ANSSI’s report (PDF), includes rented servers, free hosting services, VPNs (Virtual Private Networks), and temporary email addresses. This approach provides flexibility and enhances their ability to remain undetected.  

ANSSI noted APT28’s targeting of Roundcube email servers to distribute the HeadLace backdoor, use of the OceanMap stealer, and phishing campaigns against UKR.NET and Yahoo users, employing compromised routers and other methods to conceal their infrastructure.

France’s Ministry for Europe and Foreign Affairs strongly condemned Russia’s use of APT28, highlighting past attacks on the 2024 Olympics, and attempted interference in the 2017 elections. They emphasized that such actions violate UN norms of responsible state behaviour in cyberspace and pledged to counter Russia’s malicious cyber activities.

“France condemns in the strongest terms the use by Russia’s military intelligence service of the APT28 attack group, at the origin of several cyber-attacks on French interests,” the French foreign ministry’s statement read.

****France Accused APT28 of Impersonating ISIS Hackers****

Hackread.com has been following the activities of APT28, with a previous report linking it to a 2015 cyberattack on TV5Monde. Initially, that attack was attributed to a group posing as ISIS/ISIL militants, known as “CyberCaliphate,” who claimed responsibility by posting pro-ISIS messages on the broadcaster’s social media and temporarily blacking out their global TV channel.

However, subsequent investigations revealed matching IP addresses and techniques used by APT28, leading French authorities and cybersecurity experts to suspect Russian government involvement.

A similar cyberattack targeted the BBC’s live transmission in April 2015. However, it remains unclear whether the British government linked the incident to APT28 or acknowledged its impersonation tactics.

Nevertheless, this pattern of targeted activity indicates APT28’s persistent threat to France and other nations. It also suggests efforts to gather strategic intelligence and influence public perception within French society.

From TV5Monde to Govt: France Blames Russia’s APT28 for Cyberattacks

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides itself, and even modifies core files like wp-cron.php for persistence. Stay protected.

Security researchers at Wordfence recently uncovered a tricky piece of malware targeting WordPress websites. This malicious software is designed to look like a genuine anti-malware plugin, often appearing in the file system with names such as ‘WP-antymalwary-bot.php’.

According to Wordfence Threat Intelligence Team’s technical blog post, this fake plugin contains several dangerous capabilities. Such as, it allows attackers to control an infected website, hide from the WordPress admin dashboard, and execute malicious code remotely. It also has a “pinging” function that sends information back to a C&C server, spreads into other directories, and injects harmful JavaScript, which is then used to display unwanted advertisements.

Further analysis revealed that the malware uses a check_plugin GET parameter for status checks and, more dangerously, an emergency_login GET parameter for immediate admin access by providing a password. It also uses the REST API for remote code execution via a POST request to execute_admin_command, enabling cache clearing or injecting PHP code into theme headers. The hide\_plugin\_from\_list function conceals it from the admin dashboard.

The malware often comes with a modified wp-cron.php file that can reactivate the plugin if removed, meaning even if the plugin file is deleted, the malicious code in wp-cron.php can reinstall it upon the next site visit, ensuring persistence.

An updated version reports to a C&C server (45.61.136.85) and differently handles code injection by fetching from a foreign ads.php file and injecting JavaScript into the header. It also stores ad server URLs, anticipating future use.

Initial infection likely occurs via wp-cron.php, possibly through compromised hosting or FTP credentials. The malware has been seen under names like WP-antymalwary-bot.php and addons.php.

According to the company’s blog post, the issue was discovered on January 22, 2025, during a website cleanup performed by a Wordfence security analyst after which a specific malware signature (a unique identifier for the malicious code) was released.

Since then, many new versions of this malware have emerged, but Wordfence confirms that their original signature from January is still effective at detecting them. To provide an extra layer of security, a firewall rule (a set of instructions to block malicious activity) was released on April 23, 2025, for Wordfence Premium, Care, and Response users, preventing the execution of the malware file. Free Wordfence users will receive this additional protection on May 23, 2025.

This WordPress malware, cleverly disguised as a security plugin, demonstrates the persistent and increasingly sophisticated threats targeting website owners. Its advanced persistence mechanism makes thorough cleanup crucial for affected websites. Lastly, website owners are strongly advised to stay informed about emerging threats, utilize reputable security plugins, and ensure timely updates to protect their sites effectively.

Sneaky WordPress Malware Disguised as Anti-Malware Plugin

Retailer Acts Swiftly to Limit Threat as UK Retail Sector Faces Growing Digital Risks

The Co-operative Group has confirmed it shut down parts of its IT network after detecting an attempted cyberattack, in what is the latest incident to affect a major UK retailer. The move was described as precautionary and aimed at containing the threat before any systems could be compromised.

Although the shutdown affected internal functions such as virtual desktops, stock systems, and contact centre operations, Co-op reassured the public that all food stores, home delivery services, and funeral operations are running as normal.

“There is no evidence that customer data has been accessed,” the company said in a statement. “We took swift action to protect our systems and continue to monitor the situation closely.”

This incident follows a more disruptive attack on M&S (Marks & Spencer) earlier this month, which impacted contactless payments, and online orders, and led to temporary stock shortages. That breach was linked to the cybercriminal group known as Scattered Spider, which has previously targeted large organisations across the US and UK.

At this time, there is no confirmed connection between the two incidents, but cybersecurity analysts say the timing raises questions about coordinated threats aimed at UK retail.

Scattered Spider, also known for targeting MGM Resorts in 2023 and its social engineering tactics and use of legitimate IT tools for malicious purposes has gained notoriety for bypassing traditional security measures by targeting employees directly. Their suspected involvement in the M&S breach has prompted heightened alertness across the sector.

Co-op has brought in external cybersecurity experts and is working with law enforcement as part of an ongoing investigation. While the company has not provided a timeline for full system restoration, it emphasised that day-to-day operations will continue uninterrupted for customers.

Scott Dawson, CEO of payment processor DECTA, commented on the Co-op cyberattack, warning that “retailers can no longer afford to treat resilience as optional.” He pointed to recent breaches, including at Marks & Spencer, as evidence that outdated systems and fragmented security can’t withstand modern threats.

Dawson stressed the need for standardized resilience metrics and proactive, built-in recovery strategies, saying that without them, businesses risk system-wide breakdowns and lasting damage to customer trust.

The attack adds to growing concern over cybersecurity in retail, a sector increasingly targeted due to its reliance on digital infrastructure and high volumes of sensitive customer information.

Retailers are now facing increased pressure to balance seamless digital experiences with robust security controls. Co-op’s quick response may have prevented a more damaging breach, but it also reflects the rising frequency and sophistication of attacks facing businesses of all sizes.

UK Retail Giant Co-op Shuts Down IT Systems After Cyberattack Attempt

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.…

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.

Google’s Threat Intelligence Group (GTIG) has released its findings for 2024, revealing a slight decrease in the exploitation of zero-day vulnerabilities compared to the previous year, with 75 instances tracked. However, GTIG emphasizes that this decrease is likely a temporary fluctuation within an overall upward trend of zero-day exploitation.

The M-Trends 2025 report, based on extensive incident investigations in 2024, highlights that while exploits remain the most common initial access point for attackers, the use of stolen credentials is on the rise, with the financial sector being the primary target. The report further details that the most common initial infection vector in observed attacks was via exploits (33%), followed by stolen credentials (16%), and email phishing (14%). Here’s a detailed breakdown:

(Source: Google)

Notably, there was a continued rise in attacks targeting enterprise-specific technologies, accounting for 44% of all zero-days exploited, primarily focusing on security and networking products. Cyber espionage actors, including government-backed groups and commercial surveillance vendors, remained the leading culprits behind attributed zero-day exploits, making up over half of the total. For the first time, North Korean actors were credited with exploiting the same number of zero-days as groups linked to China.

Simultaneously, Google Cloud Security is focusing on empowering security teams against such threats, especially with the integration of Artificial Intelligence. To combat these threats, Google has launched Google Unified Security, a platform that converges threat intelligence from Mandiant with security operations, cloud security, and secure enterprise browsing, all enhanced by Gemini AI, and aimed at enabling proactive security measures.

Source (Google)

Specifically, Google Security Operations now offers “Curated Detections” and “Applied Threat Intelligence Rule Packs” based on M-Trends 2025 findings to help detect malicious activities like infostealer malware and cloud compromise.

Google is also focusing on the development of “agentic AI” in security operations, utilizing intelligent AI agents to automate routine tasks like alert triage, investigation, response, threat research, and detection engineering. These agents are designed to learn and act autonomously, allowing security teams to focus on more complex threats. Google has introduced AI-powered features like an alert triage agent and a malware analysis agent, with plans for further development in their “SecOps Labs.”

Furthermore, the tech giant is aiming for an “agentic SOC” where AI enhances and automates security workflows. The tech giant is also promoting open standards like the Agent2Agent protocol and open-sourcing their Model Context Protocol (MCP) servers for interoperability between different security tools and vendors.

Casey Charrier, Senior Analyst at Google Threat Intelligence Group, told Hackread.com that while zero-day exploitation is growing steadily, efforts by major vendors are reducing attacks on historically targeted products. However, threat actors are now shifting focus to enterprise tools, highlighting the need for broader vendor action.

Google Introduces Agentic AI to Combat Cybersecurity Threats

China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…

China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.

Citizen Lab reveals a targeted spear phishing campaign aimed at Uyghur activists, deploying surveillance malware disguised as a legitimate Uyghur language tool. Learn about the attack methods and suspected Chinese government involvement.

In March 2025, several leading figures within the World Uyghur Congress (WUC), an international organization based in Munich that advocates for the rights of the Uyghur people, became the targets of a carefully orchestrated cyber espionage attempt.

Researchers at the University of Toronto’s Citizen Lab report that these individuals received warnings from Google, indicating that their online accounts were under attack, allegedly, by state-sponsored actors. 

Google Alerts Sent to WUC (Source: The Citizen Lab)

The method used in this campaign was spear phishing, which is a targeted form of attack where emails are crafted to appear legitimate and trustworthy to specific individuals. In this case, the malicious emails impersonated a known contact from a partner organization of the WUC.

Phishing Email (Source: The Citizen Lab)

These emails contained links to Google Drive, which, if clicked, would lead to the download of a password-protected archive file. This archive held a compromised version of UyghurEditPP, a genuine open-source word processing and spell-check tool specifically designed for the Uyghur language.

The recipients had no idea that this seemingly harmless application was Trojanized, meaning it contained a hidden backdoor. Once the infected UyghurEditPP was executed on a victim’s computer, this backdoor would silently gather system information, including the machine name, username, IP address, operating system version, and a unique hash derived from the hardware. This data was then transmitted to a remote command-and-control (C2) server.

The server’s operators could then send instructions back to the infected device, enabling them to perform various malicious actions such as downloading files from the target, uploading additional malicious files (including further malware), and executing commands through uploaded plugins. 

The Citizen Lab’s analysis of the campaign’s infrastructure reveals two distinct command-and-control clusters. The first, likely active between June 2024 and February 2025, used domain names mimicking the UyghurEditPP tool’s developer (gheyretcom, gheyretnet, and uheyretcom).

The second, targeting the WUC between December 2024 and March 2025, used subdomains registered through Dynu Services, incorporating Uyghur words but not directly referencing the tool or its developer.

Both clusters shared the same Microsoft certificate and used IP addresses belonging to Choopa LLC, a hosting provider used by various cyber threat actors. This dual infrastructure either indicates attackers’ shifting tactics or targeting of different segments within the Uyghur community.

Furthermore, researchers highlighted the high level of social engineering in the delivery method of the surveillance malware, which itself was not as technologically advanced. The attackers demonstrated a deep understanding of the Uyghur community, leveraging the trust of the original developer of UyghurEditPP, known to members of the WUC.

This suggests a highly customized and targeted operation, possibly beginning in May 2024. The campaign likely involved (PDF) ties to the Chinese government, aligning with their known efforts to conduct transnational repression against the Uyghur community.

China Hackers Used Trojanized UyghurEditPP App to Target Uyghur Activists

Frankfurt am Main, Germany, 30th April 2025, CyberNewsWire

**Frankfurt am Main, Germany, April 30th, 2025, CyberNewsWire**

**Link11 has fully integrated DOSarrest and Reblaze to become one of Europe’s leading providers of network security, web application security, and application performance**

Link11, DOSarrest, and Reblaze have combined their strengths into a single, integrated platform with a new brand identity. The result: a consistent user experience, maximum efficiency, and seamless security. As a European provider, Link11 addresses the current business risks associated with geopolitical uncertainties and growing compliance requirements. At the same time, the company secures business-critical processes worldwide through the synergies created.

With the acquisitions of DOSarrest in 2021 and Reblaze Technologies in 2024, Link11 has expanded its market position. The new Link11 WAAP (Web Application and API Protection) SaaS platform combines comprehensive DDoS protection against web attacks with ML-based adaptive security and API protection. The result is an unmatched combination of adaptive real-time traffic filtering, AI-powered bot detection, and a next-gen web application firewall for secure and encrypted interactions in a single suite.

At the end of 2023, Link11 secured an investment of €26.5 million from Pride Capital Partners. This financing will support the company’s planned product developments and international go-to-market strategy.

**Maximum security through proprietary, sovereign cloud infrastructure and artificial intelligence**

Link11 is setting new standards in protection against DDoS attacks by using its own AI-based technology. The patented DDoS filter secures all traffic within the Link11 cloud – faster and more efficiently than conventional solutions. The advantages over competitors lie in users’ full control over scaling and intelligent real-time analysis of traffic, as well as continuous learning from attacks.

While other providers rely on third-party infrastructures such as AWS or Google, Link11 controls its own cloud infrastructure. This allows protection mechanisms to work in real time – without delays that can have critical consequences in a DDoS attack. As one of Europe’s leading IT security providers, Link11 enables platform-independent protection, even in multi-cloud environments.

**Technological independence as a security factor**

The solution is designed for workloads in any cloud environment. Link11’s network was developed specifically for modern cybersecurity requirements and sovereignty. It strengthens security at the network edge, accelerates global content delivery, and provides resilience and data sovereignty.

> Jens-Philipp Jung, founder and CEO of Link11: “Cybersecurity today means resilience against threats and outages. European companies that set global standards in data protection should also insist on independence when it comes to their cyber resilience. Especially in times of geopolitical uncertainty, sovereign, powerful and trustworthy IT solutions are needed. With Link11, we are demonstrating what European cutting-edge technology can achieve: maximum resilience, top performance and uncompromising compliance – independently and confidently”.

**European companies should rely on an EU-based DDoS protection provider**

Recent surveys of cybersecurity managers show that, given the option, independent and trustworthy security solutions from Europe will be used more in the future. Link11 has been successfully providing its services to companies such as financial institutions, media companies, retail and logistics companies, and the public sector for many years. With a strong brand and a multi-layered security approach, Link11 helps its customers reduce their dependence on cybersecurity. The goal is to make security architectures more resilient – technologically, functionally, and geopolitically. 

YouTube link: Link11 – Always at your side

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications and avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With ISO 27001 certification, it meets the highest standards in data security.  

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 brings three brands together on one platform with new branding

The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe…

The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe impact of the incident on M&S, including contactless payment failures, online delivery delays, and significant stock shortages in physical locations.

The recent cyber-attack that significantly disrupted operations at the British retailer Marks & Spencer (M&S) has now been linked to a notorious hacking collective known as Scattered Spider, the same group implicated in the high-profile 2023 attack on MGM Resorts.

As per Hackread.com’s initial report on April 23, 2025, the attack resulted in the shutdown of contactless payment systems, the Click and Collect order service, and delays in online deliveries, causing customer frustrations over the inability to use these crucial services. The report also noted that M&S had paused online orders and that cyber security experts believed the symptoms were consistent with a ransomware attack, where data is encrypted, and a ransom is demanded for its release.

The latest updates reveal astonishing details. Reportedly, hackers’ initial access to M&S’s systems may have occurred much earlier, in February, when they, allegedly, stole the NTDS.dit file from the Windows domain. This file is a crucial database containing all the user accounts and passwords for a Windows network managed by Active Directory Services. Obtaining and cracking this file would have provided the attackers with a list of plain-text passwords, enabling them to move laterally across the M&S network and gain control over more systems.

Following this initial access, investigation reveals that the attackers deployed the DragonForce encryptor against M&S’s virtual machines running on VMware ESXi hosts, with the main attack being launched on April 24th. Investigators have now pointed towards Scattered Spider as the responsible group.

The incident has had a significant impact, extending beyond crippling online services. The company has admitted to “pockets of limited availability” in its physical stores, with customers reporting empty shelves nationwide, suggesting disruptions to the supply chain. Moreover, online purchases have been paused, and gift card transactions are still affected.

The financial impact is significant, with around £650 million reportedly wiped off M&S’s stock market valuation and estimated daily losses from the online sales suspension could be around £3.5 million.

The retailer has been tight-lipped about the specifics of the cyber-attack and the timeline for full recovery, stating that taking systems offline was a proactive measure leading to the current shortages and is working to restore normalcy. However, in-store staff anticipate disruptions could last another week.

As per Hackread.com’s assessment of Scattered Spider, it is a unique hacking group that doesn’t operate as a cohesive unit but as a collection of individuals who vary with each attack, making them hard to track. They are known for using advanced social engineering and BlackCat ransomware.

Many members are believed to be native English speakers from Western Europe and the USA. Although some members were arrested in the USA and UK, Scattered Spider remains active and dangerous, as shown by their alleged involvement in the M&S cyber-attack, highlighting their continued ability to disrupt major organizations.

Source

HackRead