{"id":11803,"date":"2025-06-06T10:23:44","date_gmt":"2025-06-06T14:23:44","guid":{"rendered":"https:\/\/sharewatch.com\/wp\/2025\/06\/06\/ms-hackers-sent-abuse-and-ransom-demand-directly-to-ceo\/"},"modified":"2025-06-06T10:23:44","modified_gmt":"2025-06-06T14:23:44","slug":"ms-hackers-sent-abuse-and-ransom-demand-directly-to-ceo","status":"publish","type":"post","link":"https:\/\/sharewatch.com\/wp\/2025\/06\/06\/ms-hackers-sent-abuse-and-ransom-demand-directly-to-ceo\/","title":{"rendered":"M&S hackers sent abuse and ransom demand directly to CEO"},"content":{"rendered":"
\n

Joe Tidy<\/span><\/p>\n

Cyber correspondent, BBC World Service<\/span><\/p>\n<\/div>\n

\n
\n

Bloomberg via Getty Images<\/span><\/p>\n<\/div>\n<\/figure>\n

\n

The Marks & Spencer hackers sent an abuse-filled email directly to the retailer’s boss gloating about what they had done and demanding payment, BBC News has learnt.<\/p>\n

The message to M&S CEO Stuart Machin – which was in broken English – was sent on the 23 April from the hacker group DragonForce using an employee email account.<\/p>\n

The email confirms for the first time that M&S has been hacked by the ransomware group \u2013 something that M&S has so far refused to acknowledge.<\/p>\n

“We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” the hackers wrote.<\/p>\n

“The dragon wants to speak to you so please head over to [our darknet website].”<\/p>\n<\/div>\n

\n

The cyber attack has been hugely damaging for M&S, costing it an estimated \u00a3300m. More than six weeks on, it is still unable to take online orders<\/p>\n

The extortion email was shown to the BBC by a cyber-security expert.<\/p>\n

The message, which includes a racist term, was sent to the M&S CEO and seven other executives.<\/p>\n

As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers.<\/p>\n

Nearly three weeks later customers were informed by the company that their data may have been stolen.<\/p>\n

The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) – which has provided IT services to M&S for over a decade.<\/p>\n

The Indian IT worker based in London has an M&S email address but is a paid TCS employee.<\/p>\n

It appears as though he himself was hacked in the attack.<\/p>\n

TCS has previously said it is investigating whether it was the gateway for the cyber-attack.<\/p>\n

The company has told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S.<\/p>\n

M&S has declined to comment entirely.<\/p>\n<\/div>\n

\n

‘We can both help each other’<\/h2>\n<\/p>\n
\n

A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic.<\/p>\n

Sharing the link \u2013 the hackers wrote: “let’s get the party started. Message us, we will make this fast and easy for us.”<\/p>\n

The criminals also appear to have details about the company’s cyber-insurance policy too saying “we know we can both help each other handsomely : ))”.<\/p>\n

The M&S CEO has refused to say if the company has paid a ransom to the hackers.<\/p>\n

DragonForce ended the email with an image of a dragon breathing fire.<\/p>\n<\/div>\n

\n
\n<\/div>\n

This dragon image was appended to the hackers email, seen by the BBC<\/figcaption><\/p>\n<\/figure>\n
\n

The email confirms for the first time the link between M&S’s hack and the ongoing Co-op cyber-attack, which DragonForce have also claimed responsibility for.<\/p>\n

The two hacks – which began in late April – have wrought havoc on the two retailers. Some Co-op shelves were left bare for weeks, while M&S expects its operations to be disrupted until July.<\/p>\n

Although we now know that DragonForce is behind both, it is still not clear who the actual hackers are.<\/p>\n

DragonForce offers cyber-criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected.<\/p>\n

Anyone can sign up and use their malicious software to scramble a victim’s data or use their darknet website for their public extortion.<\/p>\n

Nothing has appeared on the criminal’s darknet leak site about either Co-op or M&S but the hackers told the BBC last week that they were having IT issues of their own and would be posting information “very soon.”<\/p>\n

Some researchers say DragonForce are based in Malaysia, while others say Russia. Their email to M&S implies that they are from China.<\/p>\n

Speculation has been mounting that a loose collective of young western hackers known as Scattered Spider might be the affiliates behind the hacks and also one on Harrods.<\/p>\n

Scattered Spider is not really a group in the normal sense of the word. It’s more of a community which organises across sites like Discord, Telegram and forums \u2013 hence the description “scattered” which was given to them by cyber-security researchers at CrowdStrike.<\/p>\n

Some Scattered Spider hackers are known to be teenagers in the US and UK.<\/p>\n

The UK’s National Crime Agency said in a BBC documentary about the retail hacks, that they are focusing investigations on the group.<\/p>\n

The BBC spoke to the Co-op hackers who declined to answer whether or not they were Scattered Spider. “We won’t answer that question” is all they said.<\/p>\n

Two of them said they wanted to be known as “Raymond Reddington” and “Dembe Zuma” after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist.<\/p>\n

In a message to me, they boasted: “We’re putting UK retailers on the Blacklist.”<\/p>\n

There have been a series of smaller cyber-attacks on UK retailers since but none as impactful of disruptive as those on Co-op, M&S and Harrods.<\/p>\n<\/div>\n

\n

In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to Scattered Spider.<\/p>\n

The UK’s national cyber-crime unit has confirmed to the BBC that the group is one of their key suspects.<\/p>\n

As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. “We won’t answer that question” is all they said.<\/p>\n<\/div>\n

\n
\n<\/div>\n<\/figure>\n","protected":false},"excerpt":{"rendered":"

Joe Tidy Cyber correspondent, BBC World Service Bloomberg via Getty Images The Marks & Spencer hackers sent an abuse-filled email directly to the retailer’s boss gloating about what they had done and demanding payment, BBC News has learnt. The message to M&S CEO Stuart Machin – which was in broken English – was sent on […]<\/p>\n","protected":false},"author":1,"featured_media":11804,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,21,20],"tags":[],"class_list":["post-11803","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business","category-market","category-news","entry","has-media"],"_links":{"self":[{"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/posts\/11803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/comments?post=11803"}],"version-history":[{"count":0,"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/posts\/11803\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/media\/11804"}],"wp:attachment":[{"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/media?parent=11803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/categories?post=11803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sharewatch.com\/wp\/wp-json\/wp\/v2\/tags?post=11803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}