A $2.5 Billion Whodunit: The Hack That Dented the U.Okay. Economy

Last year, hackers burrowed into the computer systems of Jaguar Land Rover, a crown jewel of British manufacturing. It was a devastating attack that forced Jaguar to lock down its computers and suspend production for five weeks. The hack even put a dent in the broader economy, making it the costliest cyberattack in the nation’s history.

The hack was alarming, but also mysterious. There was never a demand for money, as is common in such intrusions. A loose collective of hackers that included some in Britain took credit. Their claim led to news media speculation that they were the culprits.

They were not. A group of Russian hackers was responsible, according to five people familiar with an investigation into the hack. They spoke on the condition of anonymity because of the sensitivity of the case.

Law enforcement and private-sector cyber-response specialists from Britain and the United States determined that the attack was different in methodology and motivation from the hacking collective, said four of the people.

Authorities are still sorting through the murky details trying to determine whether the attackers were operating at the behest of the Kremlin, or with its tacit assent.

The hack in late August, 2025, and its economic impact were widely covered. In October, The Telegraph newspaper reported that authorities were looking into whether Russia was involved. The conclusion by government and some private-sector investigators that the group was Russian has not been previously reported.

Hacking by Russian groups is hardly new. Still, the attack on Jaguar — and the potential involvement of the Russian state — raises the possibility that this was no typical ransom attack but an assault on the economic foundation of a sovereign state. It played into longstanding fears that an adversarial state could remotely paralyze critical infrastructure, like an energy grid or key manufacturers, stoking chaos and causing economic damage.

The Jaguar infiltration had profound consequences. It slowed manufacturing in the third quarter of 2025, delivering an estimated $2.5 billion hit to the British economy, and it cost the company about $350 million in the 2026 fiscal year.

It also carried powerful symbolism. King Charles III and Queen Camilla use Jaguar vehicles, and the British military has relied on its iconic Land Rover fleet for decades.

New reporting by The New York Times uncovered other details of the investigation. Microsoft, for instance, had been tracking the Russian group and alerted Jaguar to who had breached its systems, according to four of the people familiar with the case. The hackers had used novel ransomware with an encryption algorithm that some cybersecurity experts had not seen in previous attacks. One described it as “mind-blowing.”

Inside a hastily arranged war room during the episode, Jaguar huddled with cybersecurity investigators and private sector experts. Among those participating were Britain’s National Crime Agency and National Cyber Security Centre, as well as Palo Alto Networks and Google’s Mandiant unit. The F.B.I. also assisted. They raced to contain the malware even as the hackers hurriedly tried to erase their footprints.

The attack on Jaguar took place amid an increasingly hostile relationship between Russia and Britain, whose military assistance to Ukraine has angered the Kremlin. Britain has also mounted its own secret cyber-intrusion and sabotage operations against Russia, according to former British and American intelligence officials.

A spokesman for Britain’s National Crime Agency said that while it cannot comment on an ongoing investigation, it knows that “some of the most high-profile cyberattacks against the U.K. are committed by criminals operating from within Russia, and that some of the groups responsible have links to the Russian state.”

Jaguar Land Rover declined to comment, citing the ongoing law enforcement investigation. The F.B.I. declined to comment.

Dmitry Peskov, the spokesman for President Vladimir V. Putin, said “we don’t know anything about this.”

Some clues emerged as the investigation continued. The attack was highly orchestrated. The hackers exploited vulnerabilities in aging technology, then unleased advanced ransomware meant to hijack the company’s networks.

Experts say these types of techniques are more common among nation states than cyber criminals who are looking for a big payday without spending much money. Nation states can also fund cybercriminals or provide them with hacking tools.

Russia is the biggest source of cybercrime in the world and its intelligence services have long worked hand in glove with cybercriminals to conduct espionage and carry out attacks, according to western security agencies.

Alex Orleans, a former U.S. government cybersecurity contractor, likened the relationship to that of organized crime and select units of the New York Police Department in the 1960s and 1970s. “Just as mafiosos offered patronage and received protection from certain officers, the Russian government provides krysha — a ‘roof’ — to e-crime actors operating out of Russian territory,” Mr. Orleans said.

At an April cyber conference in Scotland, Dan Jarvis, Britain’s recently appointed defense secretary who at the time of the hack was security minister, said hostile states have concluded the “most effective way is not to confront us directly, but to quietly hollow us out.”

Determining whether the Russian government directed the hacker group to sabotage Jaguar or gave tacit approvalis a difficult job, but not impossible.

In 2024, Britain imposed sanctions on one Russian group called Evil Corp, a notorious cybercrime syndicate operating out of Moscow that used ransomware and other malware attacks.

The group was used by Russian Intelligence Services to conduct attacks and espionage operations against NATO allies and went “far beyond the typical state-criminal relationship of protection, payoffs and racketeering,” the National Crime Agency said in a joint 2024 report with the F.B.I. and the Australian Federal Police.

Even before the Jaguar attack, there were hints that the company’s systems had been compromised. In June of last year, a hacker released information that included an internal I.P. address for the company, according to cyber specialists.

They described the hacker — a Jordanian named “Rey” — as someone who sells access to breached systems. His posting was a sign that someone was inside the company’s networks. Coincidentally, the Russian hackers were there too.

Rey’s posting set off alarms within Jaguar. The company immediately took steps to deal with a possible intrusion, updating software and rebuilding an old server that was vulnerable but also critical to the manufacturing pipeline.

It was too late. The Russian hackers had already exploited weaknesses in the software and hardware. They had quietly infiltrated the networks and waited to strike, three of the people said.

The timing could not have been worse. It happened on Aug. 31, just as the company was about to roll out new cars to dealers around the world. Jaguar Land Rover, owned by the Indian conglomerate Tata Group, employs 34,000 people in Britain and supports another 120,000 British jobs through its supply chain.

The ransomware used in the attack was unlike anything some security researchers involved in the inquiry had ever seen, two of the people familiar with the case said. The encryption was sophisticated, and unusual — “really, really complicated,” one expert said.

The attackers warned Jaguar not to seek the help of British authorities and said it would be in touch in 72 hours. The company ignored the warning and invited British investigators and others into its war room in the Midlands.

Within hours, the company had to shut down its systems, halting production at its factories in England, as well as in Brazil, China, India and Slovakia. It was a drastic move, but it allowed the company to prevent the hackers from taking complete control of its global network. The ransomware was designed to encrypt the servers, including the backup ones, locking Jaguar out of its own systems.

Eventually the attackers were kicked out of the networks as cyber specialists battled to regain control. Jaguar slowly restarted operations in October and restored production to normal levels by mid-November.

Once the company contained the attack, it did an analysis to figure out who had launched it. A hacking collective dubbing itself Scattered Lapsus$ Hunters — a blend of names taken from existing cybercriminal groups that had taken credit for scores of major corporate breaches in recent years — claimed responsibility on a Telegram channel.

One of those groups, Scattered Spider, was suspected in several attacks on British retailers last spring, including Harrods and Marks & Spencer. It has also targeted companies in the United States.

Investigators quickly determined that the methods used in Jaguar Land Rover were different from those hacks, which demanded ransoms in at least two of the attacks and relied on online deception like phishing to trick their targets into giving access.

The company did not know who was behind the attack until Microsoft alerted it in the days after the incursion that the group of Russian hackers was responsible, three of the people familiar with the investigation said. Microsoft declined to comment.

Jaguar Land Rover has since rebounded with the help of the government, which provided the automaker with a guarantee on a roughly $2 billion loan that it could use to support its suppliers.

At the cyber conference in Scotland, Mr. Jarvis said the damage had been remarkable.

“If this damage had been caused by an old-school, physical attack it would have been the equivalent of hundreds of masked criminals turning up to dealerships across the country breaking glass, smashing up computers and driving cars right off the forecourt,” he said.