A Letter from the M&S Hackers: What Happened Next

A Letter from the M&S Hackers: What Happened Next

As a journalist covering cyber security, I'm accustomed to receiving messages from hackers of all kinds. Some like to brag about their exploits, while others remain tight-lipped. But recently, a message on Telegram caught my attention.

The sender claimed to be Joe Tidy from the BBC, inquiring about our coverage of Co-op news. They hinted that they had information about the recent M&S cyber attack and asked if I was the right person to talk to. The tone was casual, but there was an undercurrent of excitement, as if they were eager to share their story.

I responded cautiously, asking them to elaborate on what they meant by "we have some news for you." They replied with a cryptic message, stating that they had stolen sensitive customer and employee information from M&S and the Co-op. The details were scarce, but I sensed an air of confidence behind their words.

I decided to investigate further, checking out a sample of the data they provided. As soon as I did, I securely deleted it, ensuring my privacy remained intact. The hackers seemed frustrated that the Co-op hadn't given in to their ransom demands, but they wouldn't disclose the amount of Bitcoin being demanded.

After consulting with the BBC's Editorial Policy team, we decided to report on the evidence proving the hackers' involvement in the M&S cyber attack. I reached out to the press team at the Co-op, and within minutes, the company confirmed that customer data had been stolen during the breach.

The hackers' Telegram account revealed a peculiar side of their personality. They claimed to be "Raymond Reddington" and "Dembe Zuma," characters from the TV show The Blacklist. Their message was laced with bravado, boasting about putting UK retailers on the "Blacklist."

Establishing who's behind DragonForce, the hacking collective responsible for the recent M&S and Harrods breaches, is a challenging task. Researchers speculate that they might be based in Malaysia or Russia, but the exact location remains unknown.

We know that DragonForce operates as a service, providing its expertise to other hackers at a fee. But who's pulling the strings, choosing UK retailers as targets? The answer remains elusive, leaving many questions unanswered.

Another group, known as Scattered Spider, has been linked to the M&S hack. While their collective nature makes it difficult to pinpoint individual members, researchers believe they might be based in the UK and US, comprising young individuals aged teenagers to their twenties.

The hackers I spoke to on Telegram refused to confirm or deny their association with Scattered Spider. Their response was characteristically cryptic: "We won't answer that question."

Google's cyber security division has issued warnings about Scattered Spider-like attacks on US retailers, indicating a growing threat from this group.

The story is far from over. As the investigation unfolds, one thing becomes clear: the hackers' world is complex, with unknown players pulling the strings behind the scenes. We'll continue to follow the developments and provide updates as more information comes to light.