Almost daily, my phone pings with messages from hackers of all stripes. The good, the bad, the not-so-sure. I've been reporting on cyber security for more than a decade, so I know that many of them like to talk about their hacks, findings and escapades. About 99% of these conversations stay firmly locked in my chat logs and don't lead to news stories. But a recent ping was impossible to ignore. "Hey. This is Joe Tidy from the BBC reporting on this Co-op news, correct?" the hackers messaged me on Telegram. "We have some news for you," they teased. When I cautiously asked what this was, the people behind the Telegram account - which had no name or profile picture - gave me the inside track on what they claimed to have done to M&S and the Co-op, in cyber attacks that caused mass disruption. Through messages back-and-forth over the next five hours, it became clear to me that these apparent hackers were fluent English speakers and although they claimed be messengers, it was obvious they were closely linked to - if not intimately involved in - the M&S and Co-op hacks. They shared evidence proving that they had stolen a huge amount of private customer and employee information. I checked out a sample of the data they had given me - and then securely deleted it. They were clearly frustrated that Co-op wasn't giving in to their ransom demands but wouldn't say how much money in Bitcoin they were demanding of the retailer in exchange for the promise that they wouldn't sell or give away the stolen data. After a conversation with the BBC's Editorial Policy team, we decided that it was in the public interest to report that they had provided us with evidence proving that they were responsible for the hack. I quickly contacted the press team at the Co-op for comment, and within minutes the firm, who had initially downplayed the hack, admitted to employees, customers and the stock market about the significant data breach. Much later, the hackers sent me a long angry and offensive letter about Co-op's response to their hack and subsequent extortion, which revealed that the retailer narrowly dodged a more severe hack by intervening in the chaotic minutes after its computersystems were infiltrated.The letter and conversation with the hackers confirmed what experts in the cyber security world had been saying since this wave of attacks on retailers began – the hackers were from a cyber crime service called DragonForce. Who are DragonForce, you might be asking? Based on our conversations with the hackers and wider knowledge, we have some clues. DragonForce offers cyber criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected. Anyone can sign up and use their malicious software to scramble a victim's data or use their darknet website for their public extortion. This has become the norm in organised cyber crime; it's known as ransomware-as-a-service. The most infamous of recent times has been a service called LockBit, but this is all but defunct now partly because it was cracked by the police last year. Following the dismantling of such groups, a power vacuum has emerged. Cue a tussle for dominance in this underground world, leading to some rival groups innovating their offerings. DragonForce recently rebranded itself as a cartel offering even more options to hackers including 24/7 customer support, for example. The group had been advertising its wider offering since at least early 2024 and has been actively targeting organisations since 2023, according to cyber experts like Hannah Baumgaertner, Head of Research at Silobeaker, a cyber risk protection company. "DragonForce's latest model includes features such as administration and client panels, encryption and ransomware negotiation tools, and more," Ms Baumgaertner said. As a stark illustration of the power-struggle, DragonForce's darknet website was recently hacked and defaced by a rival gang called RansomHub, before re-emerging about a week ago. "Behind the scenes of the ransomware ecosystem there seems to be some jostling - that might be for prime 'leader' position or just to disrupt other groups in order to take more of the victim share," said Aiden Sinnott, senior threat researcher from the cyber security company Secureworks. DragonForce's prolific modus operandi is to post about its victims, as it has done 168 times since December 2024 - a London accountancy firm, an Illinois steel maker, an Egyptian investment firm are all included. Yet so far, DragonForce has remained silent about the retail attacks. Normally radio silence about attacks indicates that a victim organisation has paid the hackers to keep quiet. As neither DragonForce, Co-op nor M&S have commented on this point, we don't know what might be happening behind the scenes. Establishing who the people are behind DragonForce is tricky, and it's not known where they are located. When I asked their Telegram account about this, I didn't get an answer. Although the hackers didn't tell me explicitly that they were behind the recent hacks on M&S and Harrods, they confirmed a report in Bloomberg that spelt it out. Of course, they are criminals and could be lying. Some researchers say DragonForce are based in Malaysia, while others say Russia, where many of these groups are thought to be located. We do know that DragonForce has no specific targets or agenda other than making money. And if DragonForce is just the service for other criminals to use – who is pulling the strings and choosing to attack UK retailers? In the early stages of the M&S hack, unknown sources told cyber news site Bleeping Computer that evidence is pointing to a loose collective of cyber criminals known as Scattered Spider - but this has yet to be confirmed by the police. Scattered Spider is not really a group in the normal sense of the word. It's more of a community which organises across sites like Discord, Telegram and forums – hence the description "scattered" which was given to them by cyber security researchers at CrowdStrike. They are known to be English-speaking and probably in the UK and the US and young – in some cases teenagers. We know this from researchers and previous arrests. In November the US charged five men and boys in their twenties and teens for alleged Scattered Spider activity. One of them is 22-year-old Scottish man Tyler Buchanan, who has not made a plea, and the rest are US based. Crackdowns by police seem to have had little effect on the hackers' determination, though. On Thursday, Google's cyber security division issued warnings that it was starting to see Scattered Spider-like attacks on US retailers now too. As for the hackers I spoke to on Telegram, they declined to answer whether or not they were Scattered Spider. "We won't answer that question" is all they said. Perhaps in a nod to the immaturity and attention-seeking nature of the hackers, two of them said they wanted to be known as "Raymond Reddington" and "Dembe Zuma" after characters from US crime thriller The Blacklist which involves a wanted criminal helping police take down other criminals on a blacklist. In a message to me, they boasted: "We're putting UK retailers on the Blacklist." Sign up for our Tech Decoded newsletterto follow the world's top tech stories and trends.Outside the UK? Sign up here.
A letter from the M&S hackers landed in my inbox - this is what happened next
TruthLens AI Suggested Headline:
"Cyber Attackers Claim Responsibility for M&S and Co-op Data Breaches"
Bbc News
7.0
TruthLens AI Summary
In a recent communication, a journalist received a message from hackers claiming responsibility for cyber attacks on major UK retailers, including M&S and the Co-op. The hackers, using a Telegram account with no identifiable information, hinted at having stolen sensitive customer and employee data and expressed frustration over the Co-op's refusal to meet their ransom demands. The journalist engaged in a lengthy conversation with these individuals, who demonstrated a high level of English proficiency and provided evidence of their involvement in the attacks. Following discussions with the BBC's Editorial Policy team, it was determined that reporting this information was in the public interest, prompting the journalist to reach out to the Co-op for comments. In a rapid response, the Co-op acknowledged the breach, revealing the significant impact of the hackers' actions and the potential for more severe consequences had they not intervened quickly. The hackers subsequently sent an aggressive letter expressing their displeasure with how the Co-op handled the situation, providing further insights into their operations and motivations.
The cyber crime group behind these attacks is believed to be DragonForce, which operates as a ransomware-as-a-service provider, offering tools and support to other criminals in exchange for a cut of the ransom payments. The group has been active since 2023, targeting various organizations and demonstrating a sophisticated approach to cyber extortion. Experts suggest that DragonForce is part of a larger landscape of organized cyber crime, which has seen power struggles and competition among different groups. The emergence of a collective known as Scattered Spider, which is thought to consist of young, English-speaking hackers, adds another layer of complexity to the situation. While the exact identities and locations of these hackers remain unclear, their activities highlight the ongoing threat posed by cyber criminal organizations to retailers and other sectors. The incident serves as a reminder of the evolving nature of cyber crime and the challenges faced by organizations in safeguarding sensitive information against such threats.
TruthLens AI Analysis
The article presents a unique perspective on a recent cyber attack involving the M&S and Co-op companies. By detailing the interaction between the journalist and the hackers, it explores the implications of such breaches on public trust and corporate accountability. The narrative raises questions about cybersecurity, data privacy, and the responsibilities of companies to their customers.
Intent of Publication
The primary goal appears to be raising awareness about the cybersecurity threats facing major retailers. By illustrating the hackers' communication and the subsequent corporate acknowledgment of the breach, the article emphasizes the seriousness of data security issues. It also seeks to inform the public about the potential risks associated with trusting large corporations with personal information.
Public Perception
This piece is likely designed to create a sense of urgency and concern among consumers regarding their data safety. The revelation of a significant data breach can lead to increased anxiety about the security of personal information, potentially damaging the reputation of the affected companies. It serves as a reminder of the vulnerabilities inherent in modern digital transactions.
Concealment of Information
While the article focuses on the hackers' actions and the corporate response, it may obscure broader systemic issues in cybersecurity, such as regulatory inadequacies or the prevalence of such attacks in various sectors. There may be an underlying intent to shift focus from the companies' potential negligence in safeguarding data to the hackers' actions.
Manipulative Elements
The manipulation rate of this article could be considered moderate. It employs dramatic elements by detailing the hackers' threats and the subsequent corporate admission of guilt, which can evoke strong emotional reactions from readers. The focus on the hackers’ language and behavior serves to highlight the perceived threat, but it may also sensationalize the narrative.
Truthfulness of the Article
The content appears credible, especially considering the journalist's background in cybersecurity reporting. The detailed account of interactions with the hackers and the acknowledgment from the affected companies lends weight to the claims made. However, the true extent of the breach and the hackers' demands remain somewhat vague, which could be a limitation in the article's transparency.
Target Audience
This article likely resonates more with individuals concerned about data privacy, technology enthusiasts, and those following corporate governance issues. It may also appeal to a broader audience interested in the implications of cybersecurity on everyday life and business practices.
Economic and Political Implications
In terms of market impact, this news could affect the stock prices of M&S and Co-op, as investors may respond negatively to data breaches due to potential financial repercussions. The article might also influence public discourse around cybersecurity regulations and corporate accountability within the tech and retail sectors.
Connection to Global Dynamics
While there may not be direct implications for global power dynamics, the increasing frequency of cyberattacks underscores the need for nations to strengthen their cybersecurity frameworks. This aligns with current discussions about national security in the digital age.
Role of Artificial Intelligence
There is no clear indication that AI was utilized in the writing of this article. However, AI tools might be indirectly involved in the data breaches mentioned, as hackers often employ sophisticated algorithms to exploit vulnerabilities. The narrative doesn’t suggest any AI influence; rather, it revolves around human interactions and ethical considerations in journalism.
Conclusion on Manipulation
The article does contain elements that could be viewed as manipulative, particularly in its dramatic portrayal of the hackers and the corporate response. The language used can evoke fear and urgency, which may distract from deeper discussions about systemic cybersecurity issues. The overall presentation aims to highlight the gravity of the situation while possibly downplaying the companies’ roles in preventing such breaches.
The reliability of the article is bolstered by the journalist's expertise and the corroborative evidence from the hackers and the companies involved. It ultimately serves to inform the public about pressing cybersecurity threats while also sparking dialogue around the responsibilities of corporations in safeguarding consumer data.