M&S hackers sent abuse and ransom demand directly to CEO

The Marks & Spencer hackers sent an abuse-filled email straight to the retailer's brag gloating astir what they had done and demanding payment, BBC News has learnt.

The connection to M&S CEO Stuart Machin - which was successful breached English - was sent connected the 23 April from the hacker radical DragonForce utilizing an worker email account.

The email confirms for the archetypal clip that M&S has been hacked by the ransomware radical – thing that M&S has truthful acold refused to acknowledge.

"We person marched the ways from China each the mode to the UK and person mercilessly raped your institution and encrypted each the servers," the hackers wrote.

"The dragon wants to talk to you truthful delight caput implicit to [our darknet website]."

The cyber onslaught has been hugely damaging for M&S, costing it an estimated £300m. More than six weeks on, it is inactive incapable to instrumentality online orders

The extortion email was shown to the BBC by a cyber-security expert.

The message, which includes a racist term, was sent to the M&S CEO and 7 different executives.

As good arsenic bragging astir installing ransomware crossed the M&S IT strategy to render it useless, the hackers accidental they person stolen the backstage information of millions of customers.

Nearly 3 weeks aboriginal customers were informed by the institution that their information whitethorn person been stolen.

The email was sent seemingly utilizing the relationship of an worker from the Indian IT elephantine Tata Consultancy Services (TCS) - which has provided IT services to M&S for implicit a decade.

The Indian IT idiosyncratic based successful London has an M&S email code but is simply a paid TCS employee.

It appears arsenic though helium himself was hacked successful the attack.

TCS has antecedently said it is investigating whether it was the gateway for the cyber-attack.

The institution has told the BBC that the email was not sent from its strategy and that it has thing to bash with the breach astatine M&S.

M&S has declined to remark entirely.

A darknet nexus shared successful the extortion email connects to a portal for DragonForce victims to statesman negotiating the ransom fee. This is further denotation that the email is authentic.

Sharing the nexus – the hackers wrote: "let's get the enactment started. Message us, we volition marque this accelerated and casual for us."

The criminals besides look to person details astir the company's cyber-insurance argumentation excessively saying "we cognize we tin some assistance each different handsomely : ))".

The M&S CEO has refused to say if the institution has paid a ransom to the hackers.

DragonForce ended the email with an representation of a dragon breathing fire.

The email confirms for the archetypal clip the nexus betwixt M&S's hack and the astir simultaneous Co-op cyber-attack, which DragonForce person besides claimed work for.

The 2 hacks - which began successful precocious April - person wrought havoc connected the 2 retailers. Some Co-op shelves were near bare for weeks, portion M&S expects its operations to beryllium disrupted until July.

Although we present cognize that DragonForce is down both, it is inactive not wide who the existent hackers are.

DragonForce offers cyber-criminal affiliates assorted services connected their darknet tract successful speech for a 20% chopped of immoderate ransoms collected.

Anyone tin motion up and usage their malicious bundle to scramble a victim's information oregon usage their darknet website for their nationalist extortion.

Nothing has appeared connected the criminal's darknet leak tract astir either Co-op oregon M&S but the hackers told the BBC past week that they were having IT issues of their ain and would beryllium posting accusation "very soon."

Some researchers accidental DragonForce are based successful Malaysia, portion others accidental Russia. Their email to M&S implies that they are from China.

Speculation has been mounting that a escaped corporate of young occidental hackers known arsenic Scattered Spider mightiness beryllium the affiliates down the hacks and besides 1 connected Harrods.

Scattered Spider is not truly a radical successful the mean consciousness of the word. It's much of a assemblage which organises crossed sites similar Discord, Telegram and forums – hence the statement "scattered" which was fixed to them by cyber-security researchers astatine CrowdStrike.

Some Scattered Spider hackers are known to beryllium teenagers successful the US and UK.

The UK's National Crime Agency said successful a BBC documentary about the retail hacks, that they are focusing investigations connected the group.

The BBC spoke to the Co-op hackers who declined to reply whether oregon not they were Scattered Spider. "We won't reply that question" is each they said.

Two of them said they wanted to beryllium known arsenic "Raymond Reddington" and "Dembe Zuma" aft characters from US transgression thriller The Blacklist which involves a wanted transgression helping constabulary instrumentality down different criminals connected a blacklist.

In a connection to me, they boasted: "We're putting UK retailers connected the Blacklist."

There person been a bid of smaller cyber-attacks connected UK retailers since but nary arsenic impactful of disruptive arsenic those connected Co-op, M&S and Harrods.

In the aboriginal stages of the M&S hack, chartless sources told cyber quality tract Bleeping Computer that grounds is pointing to Scattered Spider.

The UK's nationalist cyber-crime unit has confirmed to the BBC that the radical is 1 of their cardinal suspects.

As for the hackers I spoke to connected Telegram, they declined to reply whether oregon not they were Scattered Spider. "We won't reply that question" is each they said.