Abusive ransom email to M&S CEO reveals hackers demands

An abusive and gloating email sent by the DragonForce hacker group to Marks & Spencer CEO Stuart Machin, demanding payment and boasting about a cyberattack, has been seen by the BBC.

The message, which was sent on April 23rd in broken English, marks the first direct confirmation that the retail giant has been targeted by a ransomware group – a fact M&S has so far refused to acknowledge publicly.

The chilling email, dispatched from an M&S employee’s account, brazenly stated: “We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers.”

It then commanded the CEO to visit their darknet website for negotiations, adding: “The dragon wants to speak to you so please head over to [our darknet website].” The message, shown to the BBC by a cybersecurity expert, also included a racist term and was sent to seven other M&S executives.

Beyond the technical disruption, the hackers claimed to have stolen “private data of millions of customers,” a threat that materialized nearly three weeks later when M&S informed customers of a potential data breach. The email’s origin traces back to an M&S email address used by an employee of Tata Consultancy Services (TCS), M&S’s IT service provider, suggesting the employee’s account itself was compromised. TCS has stated it is investigating but denies the email was sent from its system.

This dragon image was appended to the hackers email, seen by the BBC

The extortion message included a darknet link to a victim portal for ransom negotiations, with the criminals boasting, “we know we can both help each other handsomely : ))” – suggesting knowledge of M&S’s cyber-insurance policy. M&S has not commented on whether a ransom has been paid.

DragonForce has also claimed responsibility for the ongoing Co-op cyber-attack, indicating a coordinated campaign against UK retailers.

While the hackers’ precise origins remain unclear (some speculate Malaysia, Russia, or even China as implied by their email), researchers are increasingly pointing to “Scattered Spider,” a loose collective of young Western hackers, as potential affiliates behind these and other recent UK retail breaches.