A Web of Deceit and Extortion

Almost daily, I receive messages from hackers of all stripes, but a recent ping was impossible to ignore. A group claiming to be behind the M&S and Co-op hacks reached out to me on Telegram, revealing a treasure trove of private customer and employee information. Through a series of messages, it became clear that these apparent hackers were fluent English speakers and closely linked to the M&S and Co-op hacks.

The hackers, who referred to themselves as “Raymond Reddington” and “Dembe Zuma” after characters from the US crime thriller The Blacklist, shared evidence of their involvement in the hacks. They claimed to have stolen a huge amount of private data and were demanding ransom in exchange for the promise not to sell or give away the stolen information. I checked out a sample of the data they provided, and then securely deleted it.

The hackers’ conversation with me confirmed suspicions that they were responsible for the hack. They were frustrated that Co-op wasn’t giving in to their ransom demands, but wouldn’t say how much money in Bitcoin they were demanding. After a conversation with the BBC’s Editorial Policy team, we decided to report that they had provided us with evidence proving their involvement in the hack.

The Co-op quickly admitted to employees, customers, and the stock market about the significant data breach. The hackers later sent me a long, angry, and offensive letter about Co-op’s response to their hack and subsequent extortion. The letter revealed that the retailer narrowly dodged a more severe hack by intervening in the chaotic minutes after its computer systems were infiltrated.

The hackers’ claims were later confirmed by experts in the cyber security world, who said that the group behind the hacks was a cyber crime service called DragonForce. DragonForce offers various services on their darknet site in exchange for a 20% cut of any ransoms collected. The group has been advertising its wider offering since at least early 2024 and has been actively targeting organisations since 2023.

DragonForce recently rebranded itself as a cartel, offering even more options to hackers, including 24/7 customer support. The group’s darknet website was recently hacked and defaced by a rival gang called RansomHub, before re-emerging about a week ago.

Despite the power struggle in the underground world of cybercrime, DragonForce’s modus operandi is to post about its victims, as it has done 168 times since December 2024. Yet, so far, DragonForce has remained silent about the retail attacks, leading some researchers to believe that a victim organisation may have paid the hackers to keep quiet.

Establishing who the people are behind DragonForce is tricky, and it’s not known where they are located. The hackers didn’t tell me explicitly that they were behind the recent hacks on M&S and Harrods, but they confirmed a report in Bloomberg that spelt it out.

Some researchers say DragonForce are based in Malaysia, while others say Russia, where many of these groups are thought to be located. We do know that DragonForce has no specific targets or agenda other than making money. And if DragonForce is just the service for other criminals to use, who is pulling the strings and choosing to attack UK retailers?

Researchers believe that a loose collective of cyber criminals known as Scattered Spider may be behind the attacks. Scattered Spider is not really a group in the normal sense of the word, but a community that organises across sites like Discord, Telegram, and forums. They are known to be English-speaking and probably in the UK and the US, and young, in some cases teenagers.

The hackers I spoke to on Telegram declined to answer whether or not they were Scattered Spider, but their conversation with me confirmed the suspicions that they were involved in the hack. The determination of these hackers seems to be unaffected by the recent crackdowns by police.