{ "id": "505157e3-07e3-4581-bd55-c4b6da6fbafb", "created_at": "2026-04-06T00:18:37.75736Z", "updated_at": "2026-04-10T03:31:49.859153Z", "deleted_at": null, "sha1_hash": "791b4ed2fc9566837807192a863f1607eecd27fb", "title": "Co-op confirms data theft after DragonForce ransomware claims attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2136343, "plain_text": "Co-op confirms data theft after DragonForce ransomware claims attack\r\nBy Lawrence Abrams\r\nPublished: 2025-05-02 · Archived: 2026-04-05 18:26:20 UTC\r\nThe Co-op cyberattack is far worse than initially reported, with the company now confirming that data was stolen for a\r\nsignificant number of current and past customers.\r\n\"As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one\r\nof our systems,\" Co-op told BleepingComputer.\r\n\"The accessed data included information relating to a significant number of our current and past members.\"\r\nhttps://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"This data includes Co-op Group members' personal data such as names and contact details, and did not include members'\r\npasswords, bank or credit card details, transactions or information relating to any members' or customers' products or\r\nservices with the Co-op Group.\"\r\nOn Wednesday, UK retail giant Co-op downplayed the cyberattack, stating that it had shut down portions of its IT systems\r\nafter detecting an attempted intrusion into its network.\r\nHowever, soon after the news broke, BleepingComputer learned that the company did indeed suffer a breach utilizing tactics\r\nassociated with Scattered Spider/Octo Temptest, but their defenses prevented the threat actors from performing significant\r\ndamage to the network.\r\nSources told BleepingComputer that it is believed the attack occurred on April 22, with the threat actors utilizing tactics\r\nsimilar to the attack on Marks and Spencer. The threat actors reportedly conducted a social engineering attack that allowed\r\nthem to reset an employee's password, which was then used to breach the network.\r\nOnce they gained access to the network, they stole the Windows NTDS.dit file, a database for Windows Active Directory\r\nServices that contains password hashes for Windows accounts.\r\nCo-op is now in the process of rebuilding all of its Windows domain controllers and hardening Entra ID with the help of\r\nMicrosoft DART. KPMG is assisting with AWS support.\r\nWhen sharing these details with Co-op yesterday, the company said it had nothing further to share and sent us its original\r\nstatement.\r\nDo you have information about this or another cyberattack? If you want to share the information, you can contact us\r\nsecurely and confidentially on Signal at LawrenceA.11, via email at lawrence.abrams@bleepingcomputer.com, or by using\r\nour tips form.\r\nDragonForce ransomware behind attack\r\nToday, the BBC first reported that affiliates for the DragonForce ransomware operation are behind the attack on Co-op. As\r\nfirst reported by BleepingComputer, these are the same hackers who breached Marks and Spencer last week.\r\nBBC correspondent Joe Tidy spoke to the DragonForce operator, who confirmed they were behind the attack and shared\r\nsamples of corporate and customer data stolen during the attack. The threat actors claim to have data from 20 million people\r\nwho registered for Co-op's membership reward program.\r\nThe threat actors stated they contacted Co-op's head of cyber security and other executives using Microsoft Teams messages,\r\nsharing screenshots of the extortion messages with the BBC.\r\nAfter the attack, Co-op sent an internal email to employees warning them to be vigilant when using Microsoft Teams and not\r\nto share any sensitive data, likely out of concern that the hackers still had access to the platform.\r\nThe threat actors also claimed to the BBC that they were behind the attempted cyberattack on Harrods.\r\nDragonForce is a ransomware-as-a-service operation where other cyber criminals can join as affiliates to use their\r\nransomware encryptors and negotiation sites. In exchange, the DragonForce operators receive 20-30% of any ransoms paid\r\nby extorted victims.\r\nIn attacks, the affiliates will breach a network, steal data, and ultimately deploy malware that encrypts the files on all of the\r\nservers and workstations. The threat actors then demand a ransom payment to retrieve a decryptor and promise that stolen\r\ndata will be deleted.\r\nIf a ransom is not paid, the ransomware operation typically publishes the stolen data on their dark web data leak site.\r\nDragonForce is a relatively new operation but is gearing up to be one of the more prominent ones in the ransomware space.\r\nhttps://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/\r\nPage 3 of 4\n\nThey are believed to be working with English-speaking threat actors that fit a specific set of tactics associated with the name\r\n\"Scattered Spider\" or \"Octo Tempest.\"\r\nThese threat actors are experts at using social engineering attacks, SIM Swapping, and MFA fatigue attacks to breach\r\nnetworks and then steal data or deploy ransomware. The threat actors are known to aggressively extort their victims.\r\nTo be clear, Scatted Spider is not a gang or group with specific members. Instead, they are an amorphous community of\r\nfinancially motivated threat actors who congregate on the same Telegram channels, Discord servers, and hacking forums.\r\nAs they are \"scattered\" throughout the cybercrime landscape, it is more difficult for law enforcement to track individual\r\npeople who are associated with an attack.\r\nThe original threat actors associated with the Scattered Spider classification were behind a string of attacks, including those\r\non MGM and Reddit. \r\nSome, if not all, of these original hackers have now been arrested by the US, United Kingdom, and Spain.\r\nHowever, previously unknown hackers or copycats are now utilizing the same methods to escalate attacks.\r\nCybersecurity researcher Will Thomas has put together a recommended guide on defending against Scattered Spider attacks.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/\r\nhttps://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/" ], "report_names": [ "co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434717, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/791b4ed2fc9566837807192a863f1607eecd27fb.pdf", "text": "https://archive.orkl.eu/791b4ed2fc9566837807192a863f1607eecd27fb.txt", "img": "https://archive.orkl.eu/791b4ed2fc9566837807192a863f1607eecd27fb.jpg" } }