The ransomware group linked to the recent cyberattacks on UK retailers Marks and Spencer, Harrods, and the Co-Op has begun a turf war with its rivals, triggering a battle within the industry that could bring more hacks and further fallout for corporate victims.
DragonForce, a group of largely Russian-speaking cyber criminals behind a spate of high-profile attacks this year, has clashed with one of its biggest competitors RansomHub, according to cybersecurity experts tracking the battle to dominate the booming criminal ransomware sector.
They warn that the conflict between the two groups, which operate in the ransomware-as-a-service (RaaS) market, could increase risks for companies, including the potential of being extorted twice.
Toby Lewis, global head of threat analysis at Darktrace, said there was “no honor among thieves” in the hacking world.
“Most cybercrime groups have an ingrained need for kudos and one-upmanship that could lead them to attempt to ‘outcompete’ each other by trying to attack and extort the same target,” he added.
RaaS gangs function by selling the tools and infrastructure needed to access the internal systems of companies and extort them for money. They operate on the dark web where they battle to sell services to those seeking to commit cybercrime, known as “affiliates,” such as Scattered Spider, which has been linked to the M&S attack and last week’s hack on Australian airline Qantas.
The relationship between DragonForce and RansomHub soured after the former rebranded itself as a “cartel” in March, which widened the services it offered and expanded its reach to attract more affiliate partners.
In the same month, RansomHub’s site was taken down with a marker left stating “R.I.P 3/3/25”, believed to be a hostile takeover by DragonForce, according to cybersecurity group Sophos. In retaliation, a RansomHub member defaced DragonForce’s site, labelling them “traitors.”
Genevieve Stark, head of cybercrime analysis at Google Threat Intelligence Group, said DragonForce could be attempting to attract RansomHub’s affiliates. The hacking group is also believed to be behind attacks on the pages of other rivals, including BlackLock and Mamona, according to Sophos.
Stark warned that whatever the motive, the fallout brings with it an increased risk of cyberattacks. “Instability within the extortion ecosystem can have serious implications for ransomware and data theft extortion victims,” she said.
While double extortions remain rare, US company UnitedHealth Group was the victim of one last year due to a fallout between hacking groups.
In that case, RansomHub was approached by affiliate hacker group, Notchy, to try to extort a second ransom payment after an initial $22 million fee was stolen by Notchy’s original RaaS partner, which faked its disappearance in order to avoid splitting the proceeds, according to cybersecurity experts.
A person familiar with the UnitedHealth hack said multiple extortion attempts were commonplace in cyberattacks, but that follow-up attempts were often opportunistic and lacked credibility.
Rafe Pilling, director of threat intelligence at Sophos, said in a worst-case scenario, the conflict between DragonForce and RansomHub could see them both target the same victim in a battle for business.
“Cybercriminals are a ruthless bunch, and a betrayal between partners can result in a situation where the victim gets extorted twice,” he added.
The global cost of cybercrime is estimated to reach $10 trillion in 2025, according to Cybersecurity Ventures. The figure—which is up from $3 trillion in 2015—comes as hacker groups have increasingly looked to maximise profit through their attacks.
DragonForce, which was first identified in August 2023, listed a total of 82 victims on its dark-web site in the following 12 months, according to cybersecurity firm Group-IB, while RansomHub—which also came to prominence in 2023—reported about 500 victims on its site in 2024.
Jake Moore, global cybersecurity adviser at ESET, warned that the volatility of the situation could make companies’ defence and response tactics more vulnerable.
“Remember this is a Wild West, lawless environment where normal competition rules simply do not apply,” he said.
© 2025 The Financial Times Ltd. All rights reserved. Please do not copy and paste FT articles and redistribute by email or post to the web.
Apple, arrivano le Beta 3 di macOS, iPadOS, iOS, watchOS e visionOS 26