Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks
In a recent series of high-profile cyber-attacks, several major UK retailers were targeted by hackers claiming affiliation with the DragonForce cybercriminal syndicate. Marks & Spencer, Co-op, and Harrods are among the notable victims, with the attackers allegedly stealing large amounts of customer and employee data.
The claims have been made by anonymous individuals identifying as members of the DragonForce group, who contacted several media outlets, including the BBC and Bloomberg, to share evidence of their involvement in the hacks. According to reports by BleepingComputer, M&S was targeted using the DragonForce encryptor on VMware ESXi hosts to encrypt virtual machines.
However, the connection between DragonForce and Scattered Spider, a financially motivated threat group active since May 2022, remains unclear. Researchers at SentinelOne refused to officially attribute the hacks to Scattered Spider despite the attackers exhibiting behavioral and operational characteristics consistent with those previously associated with The Com., a cybercriminal collective.
Researchers at Google Threat Intelligence Group (GTIG) noted that DragonForce’s operators recently claimed takeover of RansomHub, a ransomware-as-a-service syndicate's set of tools that Scattered Spider members used in the past, after it ceased operations in March. GTIG researchers also suggested that the hacks against M&S, Co-op, and Harrods were consistent with Scattered Spider targeting prominent brands in specific sectors to get media attention before shifting to other targets.
A Brief History of DragonForce
DragonForce originated as a pro-Palestine hacktivist group allegedly based in Malaysia (under the name DragonForce Malaysia) that has been active since August 2023. It is understood to be behind a number of notable cyber-attacks in the Asia-Pacific region and the US, including on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
The group is believed to have shifted goals and expanded to ransomware attacks. In April 2024, threat actors associated with DragonForce were observed using a ransomware binary based on a leaked builder of LockBit Black ransomware, also known as LockBit 3.0. In March 2025, the group claimed to have taken over RansomHub’s RaaS tooling after the group ceased its operations.
A New Model for Ransomware Attacks
DragonForce affiliates have shown a high level of flexibility and versatility in their ransomware attacks, constantly adapting to new developments in the cybercrime landscape. In March 2025, the group launched "RansomBay," a white-label service that lets affiliates rebrand the ransomware under a different name.
Affiliates pay a 20% cut of any ransom haul and keep the rest, while DragonForce handles the underlying infrastructure, technical support, and leak-site hosting. This shift toward a ransomware cartel model underscores their ambition to build a scalable ecosystem, where enterprising attackers can mount seemingly unique campaigns while leaning on DragonForce's code, servers, and brand-boosting media exposure.
A Growing Trend in Ransomware Attacks
According to Tammy Harper, Senior Threat Intelligence Researcher at Flare, we can expect to see more 'ransomware cartels' emerge in the near future. "With all the uncertainty around ransomware, especially due to law enforcement operations shutting down established groups, there is a need for a group providing this cartel model," she explained.
"This type of new ransomware business model is a development that some cyber threat intelligence experts had anticipated. It's a way for attackers to pool resources and expertise while minimizing risks," Harper added.