M&S hackers sent abuse and ransom demand directly to chief executive

M&S is predicted to take a £300m hit to profits after the cyberattack in April

Friday 06 June 2025 10:43 BST

M&S' operations are expected to be affected by the attack until July (Getty/iStock)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The Marks & Spencer hackers reportedly sent an abusive email to the retailer’s boss, gloating about the hack and demanding ransom payment.

M&S CEO Stuart Machin was sent an email on 23 April from a hacker group called DragonForce, using the email account of an employee, which confirms that the British high street retailer was targeted by a ransomware group, something they have refused to acknowledge.

The email, seen and reported on by the BBC, says: “We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers

"The dragon wants to speak to you so please head over to [our darknet website]."

A darknet link shared in the email connected to a portal for DragonForce victims to negotiate a ransom fee. The criminal organisation said: “let's get the party started. Message us, we will make this fast and easy for us.”

They ended the email with an image of a dragon breathing fire, according to the BBC.

The blackmail message reportedly included a racist term and was sent to Mr Machin and several other executives.

As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers said they have stolen the private data of millions of customers.

Three weeks later, M&S informed their customers that their data may have been stolen. The email was apparently sent using the account of an employee from IT company Tata Consultancy Services (TCS), which has provided IT services to M&S for over a decade.

The IT worker had an M&S email address, but is a paid TCS employee. It is believed that he himself was hacked in the attack. The IT company has previously said it is investigating whether it was a gateway for the cyberattack and since told the BBC the email was not sent from its system and has nothing to do with the breach.

M&S told The Independent: “We cannot comment on details of or speculation on the cyber incident, and we have been advised not to.”

DragonForce is the second hacking group to be linked to the M&S cyberattack; the Scattered Spider network, a group of young hackers across the UK and US, was also connected to the incident.

Marks & Spencer has predicted that the cyberattack will disrupt its operations into July and will take an estimated £300 million hit to profits this year.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Stay up to date with notifications from The Independent

Thank you for registering

M&S hackers sent abuse and ransom demand directly to chief executive

M&S is predicted to take a £300m hit to profits after the cyberattack in April

Join our commenting forum

Thank you for registering