Marks & Spencer’s CEO received a direct, abuse-laden email from ransomware group DragonForce, confirming the company’s crippling cyberattack. The message, reportedly sent from a hacked employee account on April 23, gloated over the breach, issued a ransom demand, and directed the CEO to a darknet portal for negotiation.
Ransom Email Confirms M&S Hack for First Time
Though M&S has yet to officially acknowledge the cyberattack, the contents of the email shared with an organization serves as the first direct confirmation that DragonForce is responsible. The message also included racial slurs, threats, and a graphic of a dragon breathing fire, urging executives to begin ransom negotiations:
“Let’s get the party started. Message us, we will make this fast and easy for us.”
The breach has cost M&S an estimated £300 million (30 Crore INR), leaving its online ordering system down for over six weeks and likely disrupted until July.
Hackers Used Compromised TCS Employee Account
The email was sent using the corporate account of a Tata Consultancy Services (TCS) employee based in London, suggesting the hackers compromised the account to lend credibility. TCS, which has supported M&S IT for over a decade, denies any involvement, stating the message did not originate from its systems.
The hackers also referenced M&S’s cyber insurance policy, implying deep access to internal documents and further confirming the seriousness of the breach.
M&S, Co-op, and Harrods Likely Hit by Same Ransomware Network
The attack appears connected to a similar breach at the Co-op, which also suffered supply chain chaos. Both incidents have been attributed to DragonForce, though experts suspect that affiliates from the Scattered Spider hacker collective an underground community of young cybercriminals operating on Discord and Telegram may be behind the actual execution.
Some researchers link DragonForce to Malaysia, others to Russia, but their own messages imply Chinese origins.
UK Retailers Warned: “You’re on the Blacklist”
When contacted, two hackers associated with the group identified themselves as “Raymond Reddington” and “Dembe Zuma” characters from The Blacklist, the U.S. crime thriller.
“We’re putting UK retailers on the Blacklist,” they said.
The UK’s National Crime Agency is now actively investigating, focusing on potential links to Scattered Spider.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.