Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen. The National Cyber Security Centre (NCSC) has since warned that cybercriminals are impersonating IT helpdesks to infiltrate UK retailers. An anonymous hacking group has threatened further attacks on Marks & Spencer, Co-op, and Harrods over the past fortnight.
Attackers stole names and contact information, although they did not access passwords, payment data, or transaction histories. The breach occurred on April 22 and is similar to tactics used in the M&S attack, in which hackers changed an employee’s password to get access.
Marks & Spencer has since suspended online orders and is working to restore affected systems. Harrods also confirmed it was the target of an attempted hack just days after Co-op’s breach.
DragonForce, an infamous ransomware group, has claimed responsibility for these disruptive efforts, which began with the M&S hack and have now spread to include big UK high street. DragonForce is pointing at more attacks soon, thus UK officials are urging organisations to remain vigilant.
Co-op Cyberattack Breakdown: From Breach to Data Exfiltration
Cybercriminals often begin with basic social engineering techniques sending emails, texts, or making phone calls while posing as a company’s IT helpdesk. By creating a sense of urgency, they trick employees into handing over login credentials and security codes.
Attackers then go for the company’s Active Directory database, usually the NTDS.dit file. This file contains encrypted passwords for each user. Intruders steal password hashes and escalate their own privileges. This active escalation builds the groundwork for a major attack and gives attackers complete control over the network.
DragonForce affiliates used a method called Bring Your Own Vulnerable Driver (BYOVD) to disable security systems by loading legitimate but flawed drivers, allowing them to bypass antivirus tools unnoticed.
Hackers are believed to have accessed Co-op’s network in February 2025, later returning via legitimate accounts to harvest password hashes and map the system. By May, they had encrypted critical systems and exfiltrated data—claiming to have stolen details on 20 million members.
DragonForce operates under a ransomware-as-a-service (RaaS) model, where affiliates carry out the attacks and keep most of the ransom, while the group provides the tools, hosts leak sites, and handles negotiations. Victims who refuse to pay often see their data published on the dark web.
Those behind the breach are believed to be linked to a group known as Scattered Spider, also called Octo Tempest. These cybercriminals employ sophisticated techniques such as SIM swapping and MFA fatigue attacks to compromise systems.
Scattered Spider operates as a decentralised group using Telegram, Discord, and illicit hacking forums, making it extremely difficult for authorities to track down individuals. Despite being loosely organised, their methods are aggressive and financially motivated.
Co-op has confirmed it is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate the incident. In the meantime, staff have been told to be extra careful, especially when using internal tools like Microsoft Teams.
This attack shows the effectiveness of social engineering. It is about people, not just technology. It only takes a convincing phone call or message to trigger a full-scale ransomware attack. Organisations must prioritise staff training, enforce multi-factor authentication, and remain alert to suspicious activity. A single mistake can cause lasting damage not just financially, but also to trust and reputation.
Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on user awareness instead of relying solely on technological defences, organisations can improve resilience and minimise the impact of future cyber threats.
