Scattered Spider (UNC3944) gained initial access to M&S systems as early as February 2025 via social engineering of the third-party IT service desk (vishing/impersonation). Attackers exfiltrated the NTDS.dit Active Directory database, cracked hashes offline to obtain cleartext credentials, then deployed DragonForce ransomware against VMware ESXi hosts on 24 April 2025, encrypting VMs supporting e-commerce, payments, and logistics. Online sales suspended for ~5 days; estimated daily losses £3.8 million ($5.1 million). Total stock market value impact: £500+ million ($668+ million). Four suspects arrested by NCA 10 July 2025 in connection with M&S and Co-op attacks. M&S Chairman Archie Norman confirmed the social-engineering vector publicly. Sister attacks: Co-op and Harrods targeted in same campaign.