Almost daily, my phone pings with messages from hackers of all stripes.
The good, the bad, the not-so-sure.
I’ve been reporting on cyber security for more than a decade, so I know that many of them like to talk about their hacks, findings and escapades.
About 99% of these conversations stay firmly locked in my chat logs and don’t lead to news stories. But a recent ping was impossible to ignore.
“Hey. This is Joe Tidy from the GAPTEKZONEreporting on this Co-op news, correct?” the hackers messaged me on Telegram.
“We have some news for you,” they teased.
When I cautiously asked what this was, the people behind the Telegram account – which had no name or profile picture – gave me the inside track on what they claimed to have done to M&S and the Co-op, in cyber attacks that caused mass disruption.
Through messages back-and-forth over the next five hours, it became clear to me that these apparent hackers were fluent English speakers and although they claimed be messengers, it was obvious they were closely linked to – if not intimately involved in – the M&S and Co-op hacks.
They shared evidence proving that they had stolen a huge amount of private customer and employee information.
I checked out a sample of the data they had given me – and then securely deleted it.
Messages that confirmed suspicions
They were clearly frustrated that Co-op wasn’t giving in to their ransom demands but wouldn’t say how much money in Bitcoin they were demanding of the retailer in exchange for the promise that they wouldn’t sell or give away the stolen data.
After a conversation with the GAPTEKZONE’s Editorial Policy team, we decided that it was in the public interest to report that they had provided us with evidence proving that they were responsible for the hack.
I promptly reached out to the press team at the Co-op for their input, and shortly thereafter, the company, which had previously minimized the incident, acknowledged to staff, members, and investors the substantial data breach they experienced.
Later on, the hackers dispatched an extensive, irate, and derogatory message to me concerning Co-op’s reaction to their breach and ensuing blackmail attempts. This communication exposed that the retail company barely escaped a far worse hacking incident thanks to their swift actions during those tumultuous initial moments following the attack on their systems.
systems were infiltrated.
The letter and conversation with the hackers confirmed what experts in the cyber security world had been saying since this wave of attacks on retailers began – the hackers were from a cyber crime service called DragonForce.
Who are DragonForce, you may wonder? Given what we’ve learned from discussions with the hackers and through broader insights, we have gathered several hints.
DragonForce offers cyber criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected. Anyone can sign up and use their malicious software to scramble a victim’s data or use their darknet website for their public extortion.
This has become typical in organized cybercrime; it’s referred to as ransomware-as-a-service.
The most infamous of recent times has been a service called LockBit, but this is all but defunct now partly because it was cracked by the police last year.
Following the dismantling of such groups, a power vacuum has emerged. Cue a tussle for dominance in this underground world, leading to some rival groups innovating their offerings.
Power struggle ensues
DragonForce recently rebranded itself as a cartel offering even more options to hackers including 24/7 customer support, for example.
The group had been advertising its wider offering since at least early 2024 and has been actively targeting organisations since 2023, according to cyber experts like Hannah Baumgaertner, Head of Research at Silobeaker, a cyber risk protection company.
“DragonForce’s latest model includes features such as administration and client panels, encryption and ransomware negotiation tools, and more,” Ms Baumgaertner said.
As a stark illustration of the power-struggle, DragonForce’s darknet website was recently hacked and defaced by a rival gang called RansomHub, before re-emerging about a week ago.
“Aiden Sinnott, a senior threat researcher at the cybersecurity firm Secureworks, noted that behind the scenes of the ransomware industry, there appears to be some competition—possibly for the top ‘leadership’ role or simply to destabilize rival groups with the aim of capturing a larger portion of victims,” he explained.
Who is behind this?
DragonForce typically shares information about its targets, having done so 168 times since December 2024—this includes a London accounting company, an Illinois steel manufacturer, and an Egyptian investment firm. However, up until now, they have not mentioned their assaults on retailers.
Normally radio silence about attacks indicates that a victim organisation has paid the hackers to keep quiet. As neither DragonForce, Co-op nor M&S have commented on this point, we don’t know what might be happening behind the scenes.
Establishing who the people are behind DragonForce is tricky, and it’s not known where they are located. When I asked their Telegram account about this, I didn’t get an answer. Although the hackers didn’t tell me explicitly that they were behind the recent hacks on M&S and Harrods, they confirmed a report in Bloomberg that spelt it out.
Of course, they are criminals and could be lying.
Certain scholars claim that DragonForce originates from Malaysia, whereas others argue for Russia as their base, since numerous such groups are believed to operate out of there. What we can confirm is that DragonForce does not have particular targets or objectives aside from generating profit.
And if DragonForce is just the service for other criminals to use – who is pulling the strings and choosing to attack UK retailers?
In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to a loose collective of cyber criminals known as Scattered Spider – but this has yet to be confirmed by the police.
Scattered Spider is not really a group in the normal sense of the word. It’s more of a community which organises across sites like Discord, Telegram and forums – hence the description “scattered” which was given to them by cyber security researchers at CrowdStrike.
They are known to be English-speaking and probably in the UK and the US and young – in some cases teenagers. We know this from researchers and previous arrests. In November the US charged five men and boys in their twenties and teens for alleged Scattered Spider activity. One of them is 22-year-old Scottish man Tyler Buchanan, who has not made a plea, and the rest are US based.
Crackdowns by police seem to have had little effect on the hackers’ determination, though. On Thursday, Google’s cyber security division issued warnings that it was starting to see Scattered Spider-like attacks on US retailers now too.
As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. “We won’t answer that question” is all they said.
Perhaps in a nod to the immaturity and attention-seeking nature of the hackers, two of them said they wanted to be known as “Raymond Reddington” and “Dembe Zuma” after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist.
In a communication directed at me, they proclaimed: “We’re adding UK retailers to the blacklist.”
Subscribe to our Tech Simplified newsletter
to keep up with the latest technology news and developments around the globe.
Not from the UK? Register here
.
- Marks & Spencer reports theft of customer information following cyberattack
- Be cautious of fake IT calls following the Co-op and M&S breaches, warns UK cyber center.
- Why is the M&S cyber attack chaos taking so long to resolve?
