Four individuals in Britain were arrested early on Thursday morning by the National Crime Agency on suspicion of involvement in a range of ransomware attacks targeting the British retail sector earlier this year.
The individuals are a 20-year-old British woman from Staffordshire, a 19-year-old Latvian male from the West Midlands, a 19-year-old British man from London and a 17-year-old British male from the West Midlands.
All four are now in custody having been arrested at home, and the NCA said its officers have seized their electronic devices for forensic analysis.
The individuals are suspected of involvement in three incidents in April impacting British retailers Marks & Spencer, the Co-op and the London-based luxury store Harrods.
The NCA said the individuals are suspected of Computer Misuse Act offenses, blackmail, money laundering and participating in the activities of an organized crime group.
“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” said Paul Foster, the head of the NCA’s National Cyber Crime Unit.
“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.
“Cyber attacks can be hugely disruptive for businesses and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help.”
therecord.media July 9th, 2025 - DGSE intelligence head Nicolas Lerner said Moscow’s tactics are evolving and increasingly include on-the-ground activities carried out by paid operatives.
France’s top intelligence official has warned that Russia is waging "a war of influence" against the country through hybrid online disinformation, espionage and sabotage operations.
Nicolas Lerner, head of the DGSE foreign intelligence agency, said in an interview with French broadcaster LCI that Moscow’s tactics are evolving and now include physical operations carried out by paid intermediaries. He cited an incident last year in which suspected Russian saboteurs placed coffins near the Eiffel Tower draped in the French flag bearing the inscription “French soldiers of Ukraine.”
“These are not amateur operations,” Lerner said. “They reflect a desire to disrupt our information space and undermine trust in our institutions.”
He said that around 80 Russian agents were active in France before Russia’s full-scale invasion of Ukraine in 2022, and that 50 of them have since been expelled. Paris has also imposed sanctions on individuals linked to Moscow’s intelligence services.
Lerner warned that Russia poses a medium- and long-term “existential threat” to Europe, its democracies and its values.
His comments come amid alarm over a growing wave of alleged Russian hybrid operations across Europe. In recent months, NATO allies and EU member states have reported suspected sabotage, cyberattacks, and disinformation campaigns linked to Moscow.
In June, trains between Amsterdam and The Hague were disrupted in what Dutch authorities suspect was a sabotage attempt tied to the NATO summit. Around the same time, pro-Russian hacktivists claimed responsibility for distributed denial-of-service attacks targeting summit-related organizations.
In France, the high-speed rail network was hit by coordinated sabotage just hours before last year’s Olympic Games opening ceremony, affecting lines around Paris.
Polish officials recently accused Russian intelligence of orchestrating a 2024 fire at a major Warsaw shopping mall. Warsaw responded by shutting down a Russian consulate.
On Tuesday, three South London men were found guilty of carrying out an arson attack on a depot housing humanitarian aid intended for Ukraine. The men were hired by the Wagner Group, a private militia that has acted under the orders of the Kremlin.
European officials have also warned of cyber operations targeting military, government, and critical infrastructure across the continent. On Wednesday, German media reported that a Kremlin-linked hacking group is attempting to steal sensitive data from the German armed forces.
therecord.media - Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay.
Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang.
The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities.
A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site.
The cybercriminals are attempting to sell data stolen from the charity for 20 bitcoin, equivalent to around $2.1 million, although it is not clear whether WHH’s computer networks have also been encrypted. The charity said it would not be making an extortion payment to the criminals behind the attack.
“The affected systems were shut down immediately and external IT experts who specialise in such cases were called in. We have also further strengthened the security of our systems with additional technical protective measures,” said a WHH spokesperson.
“We have informed the relevant data protection authority, consulted our data protection officer and involved the police authorities. We continue to liaise closely with the authorities,” they added.
The charity stressed it was “continuing our work in our project countries unchanged. We continue to stand by the side of the people who need our support. In view of the many humanitarian crises worldwide, our work is more important than ever.”
The RaaS group that is extorting WHH was previously responsible for attacks on multiple hospitals — including The Ann & Robert H. Lurie Children’s Hospital of Chicago and hospitals run by Prospect Medical Holdings — and last year also attempted to extort the disability nonprofit Easterseals.
One of the largest food distributors in the U.S. reported a cyberattack to regulators on Monday, explaining that the incident has disrupted its operations and ability to fulfil customer orders.
United Natural Foods released a public statement and filed documents with the U.S. Securities and Exchange Commission (SEC) saying the cyberattack began on June 5.
The statement said the Rhode Island-based company identified unauthorized activity on its systems on Thursday, prompting officials to take systems offline. The action “has temporarily impacted the Company’s ability to fulfill and distribute customer orders.”
“The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations,” United Natural Foods said. “The Company has implemented workarounds for certain operations in order to continue servicing its customers where possible. The Company is continuing to work to restore its systems to safely bring them back online.”
Law enforcement has been notified and the company said it has hired a cybersecurity firm to remediate the incident. The investigation into the attack “remains ongoing and is in its early stages.”
The press statement published on Monday said the company is working closely with “customers, suppliers, and associates” to minimize the disruption. The company did not respond to requests for comment.
United Natural Foods is the main supplier for Whole Foods and is considered the largest health and specialty food distributor in the United States and Canada. The company reported $8.2 billion in net sales last quarter.
The hack into the account of the country’s top security official has drawn criticism online.
Malaysia’s home minister had his WhatsApp account hacked and then abused to send malicious links to his contacts, according to police.
The attacker reportedly used a virtual private network (VPN) to compromise the account of Datuk Seri Saifuddin Nasution Ismail, authorities said at a press conference on Friday, adding that no victims have reported financial losses so far. They did not elaborate on how the hack was carried out.
The Ministry of Home Affairs, which oversees law enforcement, immigration and censorship, confirmed the incident and urged the public not to respond to any messages or calls claiming to be from the minister, especially those involving financial or personal requests.
The breach is under investigation and law enforcement is working to determine the hacker’s location.
Mobile phishing scams have become increasingly common in Malaysia. Local media have reported that citizens are frequently targeted by fraudsters posing as police, bank officials or court representatives.
The recent WhatsApp incident follows similar attacks on other high-ranking officials. In March, scammers hijacked the WhatsApp account of parliamentary speaker Johari Abdul and tricked some of his contacts into sending money. In 2022, threat actors accessed Telegram and Signal accounts belonging to former Prime Minister Ismail Sabri. And in 2015, hackers took over the Royal Malaysia Police’s Twitter and Facebook accounts, posting pro-Islamic State group messages.
Nasution Ismail faced online criticism and ridicule following the WhatsApp hack, with local media reporting that citizens questioned the strength of Malaysia’s cybersecurity measures, given that the country’s top security official had been successfully targeted by hackers.
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service.
Jonathan Braley, director of cyber information sharing organization Food and Ag-ISAC, spoke at the RSA Conference on Thursday and warned of not only the increase in ransomware incidents but the continued lack of visibility into the full scope of the problem.
“A lot of it never gets reported, so a ransomware attack happens and we never get the full details,” he told Recorded Future News on the sidelines of the conference. “I wish companies would be more open in talking about it and sharing ‘Here's what they use, here's how we fixed it,’ so the rest of us can prevent that.”
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. But Braley noted that even when they took out the attacks attributed to Clop, groups like RansomHub and Akira were still continuing to attack the food industry relentlessly.
The Food and Ag-ISAC obtained its numbers through a combination of open-source sites, dark web monitoring, member input and information sharing between National Council of ISAC members.
The industry saw 31 attacks in January and 35 in February before a dip to 18 attacks in March.
The 84 attacks seen from January to March were more than double the number seen in Q1 2024.
A cyberattack has forced the government-run South African Weather Service (SAWS) offline, limiting access to a critical service used by the country’s airlines, farmers and allies.
The website for SAWS has been down since Sunday evening, according to a statement posted to social media. SAWS has had to use Facebook, X and other sites to share daily information on thunderstorms, wildfires and other weather events.