A ransomware group calling itself DragonForce has taken credit for a string of cyberattacks targeting major UK retailers including Co-op, Harrods, and Marks & Spencer (M&S), disrupting operations and compromising sensitive data.
The attacks began two weeks ago, with M&S reportedly being the first victim. The retailer temporarily halted online purchases as it worked to recover from the breach. While its operations remain partly affected, an M&S spokesperson declined to provide additional details about the incident.
Soon after, Co-op and Harrods were also targeted. Harrods confirmed that hackers attempted to infiltrate its systems but said it acted swiftly to block access, including restricting internet usage at its facilities. The luxury retailer has since posted a notice on its website, stating that both its online and in-store operations are running as normal.
Co-op, however, faced more severe consequences. Initially reporting disruptions to its back office and call center services, the company has now confirmed that customer data was stolen. According to a spokesperson, forensic investigations revealed that the attackers successfully accessed and extracted information from one of Co-op’s internal systems. The exposed data includes names and contact details of a “significant number” of current and former members. Fortunately, passwords, financial data, and transaction histories were not among the compromised information.
In response, Co-op said it has introduced enhanced security measures aimed at blocking further unauthorized access while trying to maintain smooth operations for its customers and staff. However, DragonForce claims the breach affected 20 million Co-op members and alleges that they attempted to extort the retailer after obtaining the stolen data.
Following these revelations, the UK’s National Cyber Security Centre (NCSC) issued a public advisory, urging all organizations—especially those in the retail sector—to reassess their cybersecurity defenses. “The recent wave of attacks is concerning not just for affected businesses but also for their customers and the public,” the NCSC noted. The agency confirmed it is actively working with impacted organizations to investigate the breaches and prevent further threats.
DragonForce first emerged in August 2023, initially posing as a hacktivist collective. But its motives have since shifted toward financial extortion. The group has increasingly targeted high-profile institutions including governments, law firms, healthcare providers, and political entities.
According to cybersecurity firm SentinelOne, DragonForce typically gains initial access through phishing campaigns, exploitation of known software vulnerabilities, and stolen login credentials. Once inside, the group uses advanced hacking tools like Cobalt Strike, mimikatz, PingCastle, and Advanced IP Scanner to navigate and compromise networks. It also deploys the SystemBC backdoor to maintain persistent access.
The group has previously exploited high-profile vulnerabilities including:
- Apache Log4j2 (CVE-2021-44228)
- Microsoft Windows (CVE-2024-21412)
- Ivanti VPNs (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893)
Its custom ransomware is built from leaked LockBit and Conti source code, enabling affiliates to target Windows, Linux, ESXi, and NAS platforms. In 2025, DragonForce began offering “white-label” ransomware services to affiliates, effectively operating as a ransomware-as-a-service (RaaS) cartel. This strategic shift highlights the group’s ambition to expand its footprint within the global cybercrime ecosystem.
As the threat landscape continues to evolve, retailers and other critical sectors in the UK are under increasing pressure to strengthen digital defenses and respond quickly to sophisticated cyber threats like DragonForce.
