Kremlin-Aligned Ransomware Cartel Blamed for Data Breach Affecting British Retail and Services
British supermarket chain Co-op continues to face major operational disruption after falling victim to a sophisticated ransomware attack linked to the Russia-aligned hacking group DragonForce, cybersecurity researchers at Halcyon confirm. The attackers exfiltrated sensitive data on Co-op members, forcing the company to shut down systems and affecting multiple business units, including retail shelves, funeral services, and insurance operations.
“The criminals that are perpetrating these attacks are highly sophisticated,” said Shirine Khoury-Haq, CEO of the Co-operative Group. “Our colleagues are working tirelessly to protect Co-op, understand the full impact, and assist authorities.”
This attack comes amid growing concern that ransomware cartels are operating as proxies for Russian cyber operations, blending financial motives with geopolitical objectives.
DragonForce Group Implicated in Breach at Co-op and M&S
DragonForce has claimed responsibility for the attack on Co-op, as well as a recent breach at Marks and Spencer (M&S). While some reports attribute the M&S incident to Scattered Spider, Halcyon investigators maintain that DragonForce’s tools were used in the Co-op breach, not those of any affiliates.
“Investigators believe DragonForce’s tools, not those of its occasional affiliate Scattered Spider, were used in this breach,” Halcyon researchers stated.
The group’s public behavior, language use, and ransomware deployment rules point to a strong allegiance with the Russian Federation, suggesting the incident was strategically aligned cybercrime rather than opportunistic extortion.
Member Data Compromised Amid Severe System Outages
According to Co-op, the attackers extracted data related to a “significant number” of members. Compromised information includes:
- Full names
- Residential addresses
- Email addresses
- Phone numbers
- Dates of birth
However, the retailer emphasized that no passwords, payment information, or product data was exposed.
“We do not believe members’ passwords, bank or credit card details, or product information were extracted,” Co-op confirmed.
The breach led to manual shutdown of internal systems to limit further damage. Many store shelves remain depleted, and service delays continue across the UK.
Russia’s Cyber Proxies and the Dual Purpose of Ransomware
Halcyon’s analysis positions DragonForce as part of a broader trend in state-aligned ransomware operations. While profit-driven, DragonForce also advances Russian cyber interests through destabilization and espionage.
“Let’s call it like it is: ransomware is a dual-purpose weapon,” Halcyon wrote. “Crews like DragonForce are making money while also doing Moscow’s dirty work.”
In a recent dark web post, DragonForce warned affiliates not to target Russia or former Soviet states, threatening to “punish any violations.” This geofencing policy, paired with their use of Russian-language tooling, supports claims of strategic alignment with Kremlin interests.
DragonForce’s Growing Role in Ransomware Ecosystem
First observed in late 2023, DragonForce has already claimed around 170 victims, according to ransomware.live. The group operates a white-label ransomware-as-a-service (RaaS) model, enabling affiliates to deploy its payloads while retaining centralized control over infrastructure.
DragonForce has also ignited turf wars across the ransomware landscape:
- Claimed intrusions into rival BlackLock and Mamona leak sites
- Declared attacks on RansomHub, one of 2024’s most active ransomware gangs
- Attracted defectors from disrupted cartels like LockBit and BlackCat
While the group claims financial motives—”not here to kill”—its selective targeting, messaging discipline, and Russian-aligned policies reveal deeper geopolitical strategy.
“That’s the beauty of proxy attacks and plausible deniability. Russia gets the disruption without ever signing its name,” Halcyon explains.
Strategic Targeting Reflects Hybrid Cyberwarfare Tactics
Halcyon warns that groups like DragonForce are not selecting targets at random. Instead, they prioritize high-value victims with both financial leverage and geopolitical impact.
“The longer we treat it like just plain cybercrime instead of a national security threat,” researchers concluded, “the more ground we lose in a shadow war we have yet to even admit is happening.”
This incident places DragonForce alongside other state-aligned ransomware actors exploiting the blurred lines between financial crime and cyberwarfare, forcing both public and private sector organizations to confront cyberattacks as geopolitical weapons.
