M&S Hackers Sent Abuse and Ransom Demand Straight to CEO

Hackers responsible for the cyberattack on Marks & Spencer (M&S) sent a threatening and abusive email directly to the retailer’s CEO, Stuart Machin, boasting about their breach and demanding payment, BBC News has learned. The message, written in broken English, came from the ransomware group DragonForce and was sent on April 23 using an employee’s email account.

First Confirmation of M&S Hack by DragonForce

This email is the first explicit confirmation that DragonForce carried out the ransomware attack on M&S, which the company had previously declined to acknowledge. In the email, the hackers wrote, “We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” before urging the CEO to visit their darknet site to negotiate.

The attack has been devastating for M&S, costing an estimated £300 million and leaving the retailer unable to process online orders more than six weeks after the breach.

The extortion message, seen by a cybersecurity expert, was sent not only to the CEO but also seven other executives. The hackers bragged about installing ransomware that crippled M&S’s IT systems and claimed to have stolen private data from millions of customers. Nearly three weeks after the attack, M&S informed customers that their data might have been compromised.

The hackers used an email account belonging to an M&S employee who works for Tata Consultancy Services (TCS), an Indian IT firm that has provided services to M&S for over a decade. This employee, based in London, was reportedly hacked during the incident. TCS is investigating whether it was the entry point for the attack but has denied that the email was sent through its system or that it was responsible for the breach. M&S has declined to comment on the matter.

Negotiation Portal and Cybercriminal Tactics

The email included a link to a darknet portal where victims negotiate ransom fees, further verifying its authenticity. The hackers also referenced M&S’s cyber-insurance policy, suggesting mutual benefit from paying the ransom. The CEO has not disclosed whether M&S has paid any ransom.

DragonForce also claimed responsibility for a nearly simultaneous cyberattack on Co-op, which left some shelves empty for weeks. M&S expects ongoing disruption until July.

Although DragonForce is behind both attacks, the actual individuals responsible remain unidentified. The group offers ransomware tools to affiliates for a share of any ransom payments, allowing anyone to carry out attacks using their platform. Despite promising to leak stolen data, DragonForce has not posted information on either retailer yet, citing their own IT issues.

Speculation on Affiliates and Law Enforcement Response

Some researchers speculate DragonForce operates from Malaysia or Russia, while the hackers’ email hints at China. Meanwhile, cybersecurity experts believe a loosely organized collective called Scattered Spider may be affiliated with these attacks and others on UK retailers like Harrods. Scattered Spider is a decentralized group active on platforms like Discord and Telegram, reportedly including teenage hackers from the US and UK.

The UK’s National Crime Agency has confirmed it is investigating Scattered Spider in connection to these retail cyberattacks. Hackers involved have taken on aliases inspired by the US TV show The Blacklist and boasted of targeting UK retailers.

Since the high-profile Co-op and M&S incidents, other UK retailers have faced smaller-scale cyberattacks, though none as disruptive or damaging.

Featured image credit: Sherwood News

For more stories like it, click the +Follow button at the top of this page to follow us.