The "Gen Z" hackers left supermarket shelves empty and then attacked insurance companies and airlines. Now the British police have struck.

The gang has kept IT experts busy in recent weeks. "Scattered Spider," as the group calls itself, is responsible for a series of high-profile cyberattacks. At the beginning of May, the criminal organization left shelves empty in British supermarkets. Retailer Marks & Spencer was forced to suspend its online business for seven weeks. The loss of profits: £300 million .

Shortly thereafter, the same hacker group attacked several insurance companies in the US. Their latest victims are airlines. First, the hackers penetrated the systems of Hawaiian Airlines and Westjet, and then, a few days ago, those of Australian Airlines. There, they stole the data of six million customers, including names, birthdays, email addresses, phone numbers, and frequent flyer numbers.

Now, British police have achieved a success. On Thursday, they arrested four suspected members of "Scattered Spider." They are allegedly involved in the cyberattacks on three British retailers two months ago. What is striking is the young age of those arrested: They are a 17-year-old, two 19-year-old men, and a 20-year-old woman.

Last year, there were already arrests and five charges filed in the US. The accused were between 20 and 25 years old and from the US. Due to their age, the media referred to them as "Gen Z" hackers ; many of them apparently met on gaming forums. In addition to their young age, it is noteworthy that the identified members of "Scattered Spider" do not come from Eastern Europe or Russia, but from Western countries, primarily the US and Great Britain.

Whether the recent arrests will cause lasting damage to the criminal gang remains unclear. According to analyses by the security firms Crowdstrike and Halcyon , "Scattered Spider" consists of approximately four core members who act as project managers. These individuals select potential victims and coordinate other participants or entire groups. In total, the criminal ring could include up to 1,000 people, an FBI representative said last year .

"Scattered Spider" is structured like a company, working with temporary employees in numerous countries. The gang also procures criminal services from other groups that specialize in, for example, IT system intrusion, computer encryption, or extortion.

Not all attacks appear to follow the same pattern. This distinguishes "Scattered Spider" from pure ransomware groups that penetrate IT networks, steal data, encrypt the systems, and then demand payment. "Scattered Spider" does not encrypt data in every case. It hasn't developed its own malware, called ransomware, for this purpose. Instead, the group uses various types of extortion software, making it a business partner of the ransomware groups.

What's remarkable about "Scattered Spider" is that it gains access to its victims' systems by manipulating employees. "They rely entirely on human behavior," Ferhat Dikbiyik of the cybersecurity firm Black Kite told the Wall Street Journal . "They'd rather be let in through the door than break in."

This approach is called social engineering: The hackers call a company's IT helpdesk and pretend to be an employee who has locked themselves out of their email account. They then use a method called SIM swapping to intercept the text messages the employee receives during multi-factor authentication. This allows them to gain access to the IT systems to steal data or install ransomware.

The same seven voices have called various help desks in recent months, report cybersecurity experts familiar with the methods used by "Scattered Spider."

The hacker group first attracted attention in 2023 when they successfully hacked several casinos in Las Vegas. At that time, they caused significant damage, including to the casino operator MGM Resorts International: slot machines were disabled for several days, and digital room keys no longer worked. The damage amounted to approximately $100 million.

Last year, the group was less active, possibly due to pressure from investigators . But this spring, "Scattered Spider" came back with a vengeance. To date, the "Scattered Spider" criminals have largely followed the same modus operandi, Adam Meyers of Crowdstrike told Wired . "Once they find a company they can successfully penetrate, they ask themselves, 'Who are their competitors, who else can we target?'" They then move on to the next sector. So far, with success.