Cyber correspondent, BBC World Service<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n The Marks & Spencer hackers sent an abuse-filled email directly to the retailer’s boss gloating about what they had done and demanding payment, BBC News has learnt.<\/p>\n The message to M&S CEO Stuart Machin – which was in broken English – was sent on the 23 April from the hacker group DragonForce using an employee email account.<\/p>\n The email confirms for the first time that M&S has been hacked by the ransomware group \u2013 something that M&S has so far refused to acknowledge.<\/p>\n “We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” the hackers wrote.<\/p>\n “The dragon wants to speak to you so please head over to [our darknet website].”<\/p>\n<\/div>\n The cyber attack has been hugely damaging for M&S, costing it an estimated \u00a3300m. More than six weeks on, it is still unable to take online orders<\/p>\n The extortion email was shown to the BBC by a cyber-security expert.<\/p>\n The message, which includes a racist term, was sent to the M&S CEO and seven other executives.<\/p>\n As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers.<\/p>\n Nearly three weeks later customers were informed <\/a>by the company that their data may have been stolen.<\/p>\n The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) – which has provided IT services to M&S for over a decade.<\/p>\n The Indian IT worker based in London has an M&S email address but is a paid TCS employee.<\/p>\n It appears as though he himself was hacked in the attack.<\/p>\n TCS has previously said it is investigating<\/a> whether it was the gateway for the cyber-attack.<\/p>\n The company has told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S.<\/p>\n M&S has declined to comment entirely.<\/p>\n<\/div>\n A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic.<\/p>\n Sharing the link \u2013 the hackers wrote: “let’s get the party started. Message us, we will make this fast and easy for us.”<\/p>\n The criminals also appear to have details about the company’s cyber-insurance policy too saying “we know we can both help each other handsomely : ))”.<\/p>\n The M&S CEO has refused to say<\/a> if the company has paid a ransom to the hackers.<\/p>\n DragonForce ended the email with an image of a dragon breathing fire.<\/p>\n<\/div>\n The email confirms for the first time the link between M&S’s hack and the nearly simultaneous Co-op cyber-attack<\/a>, which DragonForce have also claimed responsibility for.<\/p>\n The two hacks – which began in late April – have wrought havoc on the two retailers. Some Co-op shelves were left bare for weeks, while M&S expects its operations to be disrupted until July.<\/p>\n Although we now know that DragonForce is behind both, it is still not clear who the actual hackers are.<\/p>\n DragonForce offers cyber-criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected.<\/p>\n Anyone can sign up and use their malicious software to scramble a victim’s data or use their darknet website for their public extortion.<\/p>\n Nothing has appeared on the criminal’s darknet leak site about either Co-op or M&S but the hackers told the BBC last week that they were having IT issues of their own and would be posting information “very soon.”<\/p>\n Some researchers say DragonForce are based in Malaysia, while others say Russia. Their email to M&S implies that they are from China.<\/p>\n Speculation has been mounting that a loose collective of young western hackers known as Scattered Spider might be the affiliates behind the hacks and also one on Harrods.<\/p>\n Scattered Spider is not really a group in the normal sense of the word. It’s more of a community which organises across sites like Discord, Telegram and forums \u2013 hence the description “scattered” which was given to them by cyber-security researchers at CrowdStrike.<\/p>\n Some Scattered Spider hackers are known to be teenagers in the US and UK.<\/p>\n The UK’s National Crime Agency said in a BBC documentary <\/a>about the retail hacks, that they are focusing investigations on the group.<\/p>\n![\"Bloomberg](\"https:\/\/ichef.bbci.co.uk\/news\/480\/cpsprodpb\/7640\/live\/d6e069b0-429f-11f0-835b-310c7b938e84.jpg.webp\")
Bloomberg via Getty Images<\/span><\/div>\n<\/div>\n<\/figure>\n‘We can both help each other’<\/h2>\n<\/p>\n
![](\"https:\/\/static.files.bbci.co.uk\/bbcdotcom\/web\/20250529-103858-de9d27ef1-web-2.22.3-1\/grey-placeholder.png\")
![\"A](\"https:\/\/ichef.bbci.co.uk\/news\/480\/cpsprodpb\/893b\/live\/e741d390-4216-11f0-b441-f5b5e458a38c.png.webp\")
<\/div>\n<\/div>\n
![\"A](\"https:\/\/ichef.bbci.co.uk\/news\/480\/cpsprodpb\/41d3\/live\/348b21e0-26a8-11f0-8f57-b7237f6a66e6.png.webp\")
<\/div>\n<\/div>\n<\/figure>\n<\/div>\n