UK authorities have made their first arrest in the Collins Aerospace ransomware attack that crippled check-in systems across major European airports for four days. The National Crime Agency nabbed a suspect in West Sussex on Tuesday, marking a breakthrough in the investigation that brought Heathrow, Brussels, Berlin, and Dublin airports to their knees over the weekend.
The UK's National Crime Agency just delivered the first major breakthrough in Europe's most disruptive cyber attack of 2025. A man in his forties was arrested Tuesday in West Sussex, connected to the ransomware assault that brought four major airports to a standstill for nearly 100 hours.
The attack hit Collins Aerospace systems on Friday, immediately cascading across the continent's busiest travel hubs. Passengers at London's Heathrow, Brussels Airport, Berlin Brandenburg, and Dublin found themselves stranded as check-in systems went dark, forcing airlines to resort to manual processes that stretched wait times to hours.
"Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," Paul Foster, deputy director of the NCA's National Cyber Crime Unit, told reporters Wednesday. The measured tone reflects the complexity of ransomware investigations, where arrests often represent just the tip of a much larger criminal operation.
The timing of the arrest - just five days after the initial attack - signals a new urgency in how law enforcement approaches critical infrastructure threats. Traditional ransomware investigations can drag on for months as authorities trace cryptocurrency payments and penetrate encrypted communications. This rapid response suggests either exceptional digital forensics work or that the suspect left a significant digital footprint.
Collins Aerospace, a subsidiary of RTX Corporation (formerly Raytheon Technologies), provides critical aviation infrastructure to hundreds of airports globally. Their ARINC vMUSE check-in platform processes millions of passenger transactions daily, making it an attractive target for criminals seeking maximum disruption. The company's systems handle everything from baggage tracking to gate assignments, explaining why the Friday attack caused such widespread chaos.
The suspect, whose identity remains sealed under UK law, has been released on conditional bail. This standard procedure allows investigators to continue building their case while monitoring the individual's activities. NCA spokesperson Richard Crowe declined to provide additional details beyond the agency's public statement, citing the ongoing investigation.
