DragonForce and Scattered Spider: Inside the hacker groups linked to M&S cyberattack

Marks & Spencer has finally reopened its online orders, months after a cyber attack which is set to cost the British high street retailer £300 million in profits this year.
This comes as a new hacking group has been connected with the incident, after it was revealed the DragonForce group sent M&S CEO Stuart Machin an email days after it faced a major cyberattack gloating about the hack and demanding ransom payment.
The email, seen and reported by the BBC, said: 'We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers.'
DragonForce aren't the only group that have been connected with the attack on the retailer, as the Scattered Spider network had previously been named as the enactors of the social engineering attack.
According to Sergey Shyekevich, a researcher from cybersecurity company Checkpoint, more hacker groups are forming alliances on the dark web.
'Co-operation between two powerful groups is very interesting,' he says. 'It's one outcome we see on the dark web more and more, alliances between big groups.'
Here's all we know about the two hacker groups
What is DragonForce?
DragonForce is a hacker organisation that offers Ransomware to cyber-criminal affiliates for a 20 per cent cut of any ransoms collected. This means that for a fee, they lease out their malware through dark web marketplaces to cyber-criminals.
While the organisation originally started working in 2023, they've had a massive re-marketing of their business model in the past couple of months.
'In the last two months, they started to become very active in one of the biggest dark web forums,' says Sergey, who says they have marketed themselves as a 'Ransomware Cartel', cornering that market on the dark web in the past month.
'They started being more aggressive I think a few weeks before all the attacks in the UK,' he adds.
Researchers have claimed they operate out of Malaysia, with some disputing this and saying they are located in Russia. As well as the M&S hack, DragonForce has been linked to the Co-op cyberattack.
What is Scattered Spider?
Scattered Spider is a community of hackers that targets huge organisations across different sectors using social engineering tactics.
'They're very good at social engineering of different types,' Sergey says, adding that in the past they have used SIM swapping and impersonated IT staff to trick people into letting them use their systems.
Believed to be a community of young adults across the US and UK, the group gained notoriety for their involvement in hacking and extorting two of the largest casino and gambling companies in the United States.
'They understand human nature and how big corporations work,' says Sergey. 'They're very successful.'
In 2023 they were linked to the hacking and extortion of Caesars Entertainment and MGM Resorts International, which led the former to pay a ransom of approximately £11 million ($15 million). They were able to access a significant number of driver's licence numbers and possibly even Social Security numbers of the casino customers through the ransomware demand.
A 17-year-old hacker from the United Kingdom was arrested in connection with the hack and attempted ransom in July 2024.
How did the cyberattack happen?
M&S first disclosed they had experienced a cyberattack on 22 April, which had disrupted their online operations and even halted contactless payments. Hundreds of agency workers at the company were told not to come into work as the retailer dealt with the fallout of the cyberattack.
Customer personal data – which could have included names, email addresses, postal addresses and dates of birth – was also taken by hackers in the attack.
M&S revealed last month that the attack was caused by 'human error', as Mr Machin said in an annual figures report in May that the hackers gained access to the company's IT systems through a third party.
He said at the time: 'We didn't leave the door open, this wasn't anything to do with under-investment. Everyone is vulnerable. For us, we were unlucky on this particular day through some human error.'
Responding to attacks on the retail sector, the NCSC put out advice to the industry and responded to speculation that the Scattered Spider group had used social engineering to target IT help desks and perform password and MFA (multi-factor authentication) resets.
'Criminal activity online – including, but not limited to, ransomware and data extortion – is rampant,' their blog post wrote. 'Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared.'
Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said: 'Specialist NCA cybercrime officers are working closely with law enforcement partners to investigate the recent cyber incidents affecting the retail sector. Identifying the criminals responsible and bringing them to justice is a top priority.
'We are considering the incidents individually, but have a range of hypotheses and are mindful they may be linked.
'The impact of these incidents has been significant and businesses will understandably be concerned. I'd encourage all organisations to follow advice on the NCSC's website to ensure they have effective cyber security measures in place to help prevent attacks.
'I'd also urge those that do unfortunately fall victim to an attack to engage with law enforcement as part of the reporting process. The NCA and policing will investigate covertly and discreetly, as well as support the recovery of systems and data.'
How much money has M&S lost?
The fallout from the cyberattack saw the company lose £650 million of value in a matter of days. M&S said it expected to take an estimated £300 million hit to profits this year, as they predicted disruption to its online business to last into July.
What has M&S said in response?
As M&S reopened its online operations, they put out a statement which said: 'You can now place online orders with standard delivery to England, Scotland and Wales. Delivery to Northern Ireland will resume in the coming weeks.
'We will resume click and collect, next-day delivery, nominated-day delivery and international ordering in the coming weeks.'

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

The Independent

36 minutes ago

• The Independent

Ministers ‘abusing' anti-terror laws against Palestine activists

Former Scottish first minister Humza Yousaf has said the Government is 'abusing' anti-terror laws against pro- Palestine activists as tens of thousands of protesters marched in London. A protest organised by groups under the Palestine Coalition banner marched to Whitehall from Russell Square in central London on Saturday afternoon. Organisers estimated that 350,000 people attended the protest, with those marching waving Palestinian flags and chanting 'free, free Palestine' and 'stop bombing Iran'. Many protesters chanted 'shame on you' as they walked past dozens of counter-protesters, organised by pro-Israeli group Stop The Hate, near Waterloo Bridge. The Metropolitan Police said a person was arrested after a bottle was thrown towards the counter-protesters. They added that 'a group appeared on Waterloo Bridge trying to block traffic' following the protest, with officers intervening to clear the road. The demonstrations come after reports on Friday that the Home Secretary will ban Palestine Action after the group vandalised two aircraft at RAF Brize Norton. Yvette Cooper has decided to proscribe the group, making it a criminal offence to belong to or support Palestine Action, after footage posted online showed two people inside the RAF base, with one appearing to spray paint into an aircraft's jet engine. Addressing crowds at the national march for Palestine in Whitehall, former SNP leader Mr Yousaf said: 'While we stand a stone's throw from Downing Street, let's make it clear to the Prime Minister: You try to intimidate us with your anti-terror laws by abusing them, but you'll never silence us as we speak out against the genocide that you're supporting. 'We're not the terrorists – the ones that are literally killing children, they are the terrorists.' A pro-Palestine protester said it was 'absolutely horrendous' that the Government is preparing to ban Palestine Action. Artist Hannah Woodhouse, 61, told the PA news agency: 'The Government, since yesterday, have said they're also going to start to try to proscribe peace activists who are trying to take action against the genocide – so Palestine Action are now being targeted by our Government, which is absolutely horrendous.' Ms Woodhouse, who is from London, added: 'Counter-terrorism measures, it seems, are being used against non-violent peace protesters. 'The peace activists are trying to do the Government's job, which is to disarm Israel. The duty of any government right now is to disarm a genocidal state.' Musician Paloma Faith told pro-Palestine campaigners that she would not 'stick to music and stay away from politics'. Speaking to crowds at the march, the songwriter, 43, added: 'Those who facilitate these crimes against humanity need to be made accountable, not those of us who are compassionate and humane enough to stand against it.' Former Labour leader Jeremy Corbyn told protesters that politicians were seeking to 'turn people who protest against the invasion of Iran or the occupation of Palestine into terrorists'. Some protesters were carrying Iran flags, with others hoisting signs – distributed by the Islamic Human Rights Commission – that read 'choose the right side of history' alongside a photo of Iranian Supreme Leader Ayatollah Ali Khamenei. Human rights group Liberty said banning Palestine Action 'would be a huge step change in how counter-terror laws are applied'. Sam Grant, its external affairs director, said in a statement: 'Targeting a protest group with terrorism powers in this way is a shocking escalation of the Government's crackdown on protest and we urge the Home Secretary to rethink. 'It's clear the actions of Palestine Action don't meet the Government's own proportionality test to be proscribed as a terrorist group, but the consequences for the group's supporters if ministers go ahead would be heavy – with things like wearing their logo carrying prison sentences. 'This move needs to be viewed in light of the sustained crackdowns on protest we have seen from successive governments over recent years, and the worrying fact that there are more and more non-violent protesters spending years in prison.' The Palestine Coalition is comprised of a number of different groups, including the Palestine Solidarity Campaign and Stop The War.

Daily Mail​

an hour ago

• Daily Mail​

'Heartbroken' family pays tribute to 'beautiful soul' of man, 20, who was found dead in village river

A 'heartbroken' family have paid tribute to their 20-year-old son who was found dead in their village river. Jacob Rutkowski, who has been described as a 'beautiful soul' by his grieving family died after getting into difficulty in the river Tees in County Durham. It is understood that Jacob from Darlington, County Durham, entered the water in Gainford on Friday and began to struggle, sparking a huge emergency response. The air ambulance, mountain rescue crews, police helicopter, paramedics and fire crews all rushed to the rural village at about 2.30pm in a bid to rescue him. Drones and rescue dogs were also used in the search. Tragically, Durham Police later confirmed that they had found a body in the river. Jacob's family have paid tribute to his life and have launched a GoFundMe page in a bid to raise funds for his funeral. The page reads: 'As many of you have already heard, our family experienced the unimaginable. It is understood that Jacob from Darlington, County Durham, entered the water in Gainford on Friday and began to struggle, sparking a huge emergency response 'This devastating loss has left our entire family heartbroken beyond words. He was a son, a brother, a loving boyfriend — and above all, a beautiful soul taken far too soon. 'We are raising funds to help with funeral and memorial costs, and to support the family during this painful time. 'Anything you can give will help ease the burden and allow us to focus on grieving and honouring his memory. Thank you from the bottom of our hearts.' Tributes and messages for Jacob have also been posted online and have described him as having a 'heart of gold'. One friend wrote: 'Such a caring young lad honestly, sending my love and thoughts to the family. 'I just can't get over it, he was so lovely. Breaks my heart, forever 20.' Another said: 'Absolutely heartbroken for my friend and her family. Life is just so precious.'

BBC News

an hour ago

• BBC News

Petition questioning jail sentences for online posts hits target

A petition calling for an urgent review of sentencing after a woman was jailed for a racist social media post has hit its target of 100,000 signatures in under 24 Connolly, from Northampton, was jailed for 31 months in October after urging her followers on X to "set fire" to hotels housing asylum seekers on the day of the Southport UK MP Rupert Lowe's online petition said prison terms for cases of "opinion-based online speech" caused "serious public concern" and alternative sanctions would be more appeal was rejected in May, with the Court of Appeal ruling there was "no arguable basis" that her prison sentence was excessive. The 41-year-old childminder, the wife of a Conservative councillor, posted the swearword-ridden message on 29 July 2024, the day three girls were murdered at a dance class in calling for "mass deportations now", she wrote: "If that makes me racist, so be it."She urged readers to set fire to "all the hotels" that were "full" of those she wished to post had been deleted before Connolly was arrested on 6 August but had already been viewed 310,000 who represents Great Yarmouth as an Independent, said the jailing of Connolly was "morally repugnant" and his petition had the full support of her husband, Ray."Lucy, and others like her, should not be in prison for foolish things they posted on the internet," said Lowe in a post on X."It's all just so disgusting, and if I can use my elected position to do anything, it has to be worth a go." The petition says imprisoning individuals for posts on social media "sets a dangerous precedent and raises wider questions about freedom of expression, proportionality in sentencing, and the misuse of limited prison resources."The day after Connolly's appeal was rejected, Sir Keir Starmer said he was in favour of free speech and against inciting violence after Lowe used Prime Minister's Questions to ask if her jail term was an "efficient or fair" use of prison.A UK Government and Parliament petition that attains 100,000 signatures is assessed by the Petitions Committee for its level of support and whether the government could act on its demands. If approved for consideration, it is then debated in Westminster Hall. Follow Northamptonshire news on BBC Sounds, Facebook, Instagram and X.