Hackers using aliases from TV show claim UK retailers are on their 'Blacklist' after cyber-attacks on M&S and Co-op

Daily Mail​

19-05-2025

The hackers responsible for the devastating cyber attacks on M&S and Co-op have allegedly placed all UK retailers on the 'Blacklist' in a nod to the popular television series.
Claiming to be behind the attacks that saw supermarket shelves cleared and mass disruption nationwide, the alleged hackers have now provided evidence which proves that substantial amounts of private customer and employee information has been stolen.
In Telegram messages reportedly exchanged for five hours between the alleged cyber crooks and the BBC 's cyber correspondent, they expressed frustration that the Co-op had not given in to their ransom demands, while also failing to confirm the Bitcoin figure demanded in exchange for not revealing or selling off the stolen data.
And, while keeping their identity and location unknown, the hackers even highlighted their unwavering bid for fame and notoriety, claiming that they eventually wanted to be known as 'Raymond Reddington' and 'Dembe Zuma', two characters from the hit US crime thriller show The Blacklist.
In a message to the BBC, they boastfully proclaimed: 'We're putting UK retailers on the Blacklist.'
Released in 2013, the 10 series drama centers around a notorious international criminal and wanted fugitive cooperates with the FBI in the hunt for other criminals on his 'Blacklist'.
The BBC said that the 'English speakers' behind the anonymous Telegram account were eventually able to prove their intimate involvement in the cyber attacks through several messages.
In Telegram messages reportedly exchanged for five hours between the alleged cyber crooks and the BBC 's cyber correspondent, they expressed frustration that the Co-op had not given in to their ransom demands (file image)
The communication, alongside other information provided, eventually led the cyber correspondent to eventually conclude that the hackers were associated with the DragonForce hacking group.
DragonForce's ransomware operation uses malicious software, which when triggered can prevent the target from accessing their own devices and data.
Criminals then use stolen data as leverage to extort huge sums of money, a process known as 'ransomware-as-a-service'.
While unknown who ultimately used the service to attack the two popular British retailers, several security experts believe that the tactics used emulate the loosely coordinated group of hackers dubbed 'Scattered Spider' or 'Octo Tempest '.
Having reviewed the amalgamation of evidence provided by the hackers, the BBC said that they contacted the Co-op's press team for comment. It was only then, they allege, that the popular retailer, who had initially downplayed the hack's implications, eventually admitted to the widespread data breach.
Co-op had previously claimed that the cyberattack had only a 'small impact' on its operations and insisted there was 'no evidence that customer data was compromised'.
However, a Co-op spokesman later said the hackers ' accessed data relating to a significant number of our current and past members '.
Following this, in an angry letter he later received by the alleged hackers, it was also revealed that the UK store had 'narrowly dodged a more severe hack' having intervened shortly after its computer systems were initially infiltrated.
Quick-thinking bosses had apparently 'yanked the plug' on their systems having spotted M&S' systems, also targeted by the hackers, being seriously compromised.
The hackers told the BBC: 'Co-op's network never ever suffered ransomware. They yanked their own plug - tanking sales, burning logistics, and torching shareholder value.'
They added that they had successfully infiltrated Co-op's systems and stole customer data, and had been in the process of uploading the malicious data when they were caught.
The hackers had moved to limit the impact of the attack by shutting down some IT systems, including parts of its supply chain and logistics operations, resulting in disruption to deliveries.
Turning off computers prevent hackers from doing further damage, meaning companies are able to isolate their systems and assess what has been tampered with.
It means that while M&S are still scrabbling to get systems such as online shopping back into working order, Co-op has been able to recover more quickly.
Co-op said there would be improved availability in its food shops and online from this weekend, while its stock ordering system is now fully online again.
It was also now able to accept all forms of payment, including contactless and chip-and-pin.
On May 14, a Co-op spokesperson said: 'Following the malicious third-party cyber attack, we took early and decisive action to restrict access to our systems in order to protect our Co-op.
'We are now in the recovery phase and are taking steps to bring our systems gradually back online in a safe and controlled manner.'
Meanwhile, M&S customers were left reeling following the devastating hack more than three weeks ago which forced it to halt online sales for five days - with its share prices plummeting by more than £500m and the company shedding £1billion worth of value on the stock exchange.
Following the attack, some M&S stores were left with empty shelves as the beleaguered retailer continues to battle with fallout of a crippling hack.
Shoppers were also left furious after some outlets were left 'completely empty', with items including bananas, fruit and vegetables, fish and Colin the Caterpillar cakes out of stock.
As the crisis continues to plague the British High Street staple, staff have reportedly been forced to work for up to 24 hours a day while enduring 'sleepless nights' to fix it, insiders have revealed.
The hackers went undetected in M&S' systems for up to 52 hours before the devastating cyber attack was finally uncovered. Crisis teams then battled tirelessly to protect the beloved British store, frequented by up to 9.4million active customers, throughout the five-day 'attack phase'.
Alan Woodward, University of Surrey cyber security professor, told The Times that he believed the fact the store has still failed to reinstate their online sales, with customers having been unable to take any orders through the website or app since April 25, 'suggests they were a little less prepared than maybe they should have been'.
Following the devastating attacks, retailers are on red alert for similar attacks, as DragonForce said it was poised to launch more.
In an interview with Bloomberg, its anonymous creators threatened to release data if it does not receive payment from the retailers, saying it typically expects millions of pounds for ransom payments.
The group operates similarly to a criminal cartel and sells its software to other hackers, such as the Scattered Spider gang.
'Our job is not to destroy, we just take some money and walk away,' it said, also warning that the recent attacks were 'just a start'. DragonForce hackers claimed more than 90 victims last year and targeted companies across various industries.
On May 2, the Information Commissioner's Office said it was also looking into the attack, as well as a similar major incident involving M&S' competitor, the Co-op.
M&S and Co-op customers have also been urged to use strong passwords and different ones across multiple platforms.
The National Crime Agency said: 'We are working closely with our law enforcement partners to investigate. We are considering the incidents individually. However, we are mindful they may be linked and therefore this will remain under review.'