Local hackers and Russian-speaking cyber criminals stretching UK responses

In 2025, a new breed of cybercriminal hit the UK mainstream: young, English-speaking hackers. Alleged ‘Scattered Spider’ attacks on high-profile UK retailers caused hundreds of millions of pounds worth of financial losses. While the emergence of these threat actors has generated considerable media coverage and debate, one aspect has gone under the radar: their impact on law enforcement. The resources required to simultaneously tackle Scattered Spider and Russian-speaking ransomware groups risk creating a systemic challenge for UK law enforcement at a time of budget challenges and rapid technological evolution. 

The rise of anglophone teenage cybercriminals 

Scattered Spider are an element of the loose international network of cybercriminals known as ‘the Com’, or ‘the Community’. These individuals are predominantly English speaking, based in North America and Europe, especially the UK and US, and specialise in using their native language skills and cultural awareness to deploy social engineering to compromise victims and carry out crippling attacks. 

Scattered Spider threat actors differ from the professionalised, Russian-speaking cybercriminals who have been behind the most serious cybercrime operations of the past 15 years. These highly profit-motivated threat actors evolved from credit card fraud to banking malware and then, beginning in 2020, ransomware. They are generally more technically sophisticated and target opportunistically to maximise returns. Although the Russian-speaking cybercrime ecosystem is changing, attacks are still well organised, highly effective, and pose a significant national security threat. 

Scattered Spider groups are invariably young men, often motivated more by prestige or kudos than pure profit. Recruited from gaming communities and social media, they spend much of their lives online and are frequently involved in cross-threat offending, including cybercrime and sextortion. Reported connections with Russian-speaking ransomware groups, such as DragonForce, risk further intensifying the cybercrime threat, as these groups adopt tactics and collaborate, fusing social engineering expertise with more technically sophisticated malware and exploitation capabilities. 

In comparison to most ransomware threat actors, individuals linked to Scattered Spider and the Com reside in jurisdictions where more traditional criminal justice tactics can be applied. In the UK, several of the alleged perpetrators of this summer’s retail attacks have been arrested.

However, just because UK law enforcement can physically reach these kinds of offenders doesn’t mean the problem is solved. Such efforts come with an array of new challenges: Scattered Spider threat actors are often young, sometimes neurodiverse, first-time offenders, requiring a different approach to prosecution. Cybercrime investigations in the UK still utilise the 35-year-old Computer Misuse Act, which was developed in the late 1980s – questions about its suitability for addressing modern cybercrime date back to at least 2002, although it has been periodically updated. There are also challenges around the criminal use of encryption and obtaining and managing large volumes of data as evidence, especially from overseas. 

A dual challenge

Scattered Spider therefore represent an additional challenge for law enforcement on top of those posed by predominantly Russian-speaking cybercriminal groups. Neither high-profile attacks against UK retailers, reportedly perpetrated by Scattered Spider, nor attacks like the one that impacted the UK NHS in the summer of 2024, reportedly by the Russian-speaking Qilin group, can be ignored.

Law enforcement investigations and disruptions against Russian-speaking cybercrime have had to evolve, given the geographical location of the threat actors and technological nature of their criminality. ‘Traditional’ criminal justice outcomes like arrests are less common, with disruptions instead combining tools like sanctions and strategic communications to impact criminal ecosystems. 

Since the 2021 ransomware attacks against the Colonial Pipeline and JBS meats, Western law enforcement investigations have prioritised disrupting international ransomware groups such as Russia-linked Lockbit and the cybercrime ecosystem and infrastructure that support and enable their operations. There are increasing indications that this strategy, alongside improved resilience to ransomware attacks, is working, with ransom payment rates down and the ecosystem fragmenting. 

UK law enforcement must therefore work across two fronts: disruption-driven interventions against Russian-speaking groups abroad and more traditional criminal justice responses against Scattered Spider-type  threats at home. Both types of response are complex and require different tactics, capabilities, and skill sets to successfully deliver. The Lockbit disruption hinged on the technical infiltration of the group’s infrastructure, whereas offenders in the UK must be arrested. Criminal justice investigations are very resource intensive and can involve everything from CCTV enquiries and interviews to searches, arrests, and managing evidence – each of which can be a complex process on their own. This leaves law enforcement stretched at a time of escalating cyber threats. 

The diversity of cybercrime and the different skills and resources required to respond to it pose a systemic challenge. This problem will become more acute as online marketplaces and the proliferation of capabilities increasingly lower barriers to entry for individuals to become involved in cybercrime. It is unlikely that law enforcement, with its present resources, will be able to maintain pressure on Russian-speaking groups and tackle Scattered Spider threats at the same time. 

With significant new resources unlikely, difficult prioritisation decisions will be required. Russian-speaking ransomware still poses the most significant cybercrime threat in terms of the volume of attacks, whilst Scattered Spider attacks are lower in volume but often higher profile. There is a challenging balance to strike. 

The system currently has broadly the right approach and capabilities but lacks capacity, a situation not likely to change soon. A 2023 parliamentary report stated that significant investment should be made to allow the National Crime Agency to more effectively combat cyber threats, but, like the wider public sector, the agency faces struggles around pay and turnover in cyber roles. The refresh of the National Cyber Strategy is an opportunity to recalibrate direction, whilst the forthcoming police reform white paper may represent an opportunity for structural changes in the law enforcement response to cybercrime threats.