The BBC saw an abuse email sent by Marks & Spencer Hackers to the retailer's boss involving hackers' faults and payments.

On April 23, a message was sent to M&S CEO Stuart Machin (in broken English) using an employee’s email account.

The email confirms for the first time that M&S ​​has been hacked by the Ransomware Group - so far, M&S has refused to acknowledge this.

"We have come all the way from China to the UK, ruthlessly raped your company and encrypted all servers," the hacker wrote.

"The dragon wants to talk to you, so please go to (our darknet website)."

Cybersecurity experts show ransomware emails to the BBC.

The ransomware message including the N-word has been sent to the M&S CEO and seven other executives.

In addition to boasting about installing ransomware on M&S IT systems to make it useless, hackers said they also stole private data from millions of customers.

Nearly three weeks later, the company informed customers that their data might have been stolen.

The email was apparently sent using an employee account of Indian IT giant TATA Consulting Services (TCS), which has been offering IT services to M&S for more than a decade.

Indian IT workers based in London have an M&S email address, but TCS employees.

It seems that he was hacked in the attack.

TCS has previously said it is studying whether it is a portal for cyberattacks.

The company has told the BBC that the email was not sent from its system and that it has nothing to do with M&S's violations.

M&S declined to comment completely.

The shared DarkNet link in the ransom email connects to the portal for Dragonforce victims to start negotiating ransom fees. This further suggests that the email is true.

Share link - The hacker wrote: "Let's start the party. Send us a message and we will make us quick and easy."

The criminal also appears to have detailed information about the company's cyber insurance policy, saying "We know we can all help each other :)".

The M&S CEO declined to say whether the company had paid the ransom to the hackers.

Dragonforce ended the email with images of dragon breathing fire.

The email confirmed for the first time the link between M&S’ hackers and ongoing cooperative cyberattacks, which Dragonforce also claimed to be responsible.

The two hackers began in late April - wreaking havoc on both retailers. Some partner shelves were exposed for weeks, and M&S expected its operations to be disrupted until July.

Although we now know that Dragonforce is behind both, it is still unclear who the actual hacker is.

Dragonforce provides various services to cybercriminals on its Darknet website in exchange for 20% of all ransoms collected.

Anyone can register and use their malware to compete for victims’ data, or use their DarkNet website for public ransomware.

Regarding the co-op or M&S, nothing appeared on the criminal's Darknet leak website, but hackers told the BBC last week that they had their own distribution and would be released "soon."

Some researchers say Dragonforce is located in Malaysia, while others say Russia. Their emails to M&S mean they are from China.

There has been speculation that a collective of young Western hackers known as the Scattered Spider might be the branch behind the hacker and the Harrods.

In a normal sense, scattered spiders are not really a group. It's more of a community that spans dissonance, telegraph and forums and other sites - so CrowdStrike's cybersecurity researchers gave their descriptions "dispersed".

As we all know, some of the scattered spider hackers are teenagers in the United States and Britain.

The National Crime Agency said in a documentary about retail hackers in a BBC documentary that they focused their investigations on the group.

The BBC talks with a partner hacker who refuses to answer whether they are dispersed or not. They said "we won't answer this question".

Two of them said they wanted to be called "Raymond Reddington" and "Dembe Zuma," which follows the characters in the American crime thriller "Blacklist" involving a wanted criminal who helps police knock out other criminals to the blacklist.

In the message I gave me, they boasted: “We are blacklisting UK retailers.”

Since then, a series of smaller cyberattacks have been carried out on UK retailers, but not as destructive as the co-ops, M&S and Harrods.

Dragonforce provides various services to cybercriminals on its Darknet website in exchange for 20% of all ransoms collected.

Anyone can register and use their malware to compete for victims’ data, or use their DarkNet website for public ransomware.

Regarding the co-op or M&S, nothing appeared on the Darknet leak of criminals, but the hackers told the BBC that their own problems were their own and that information would be released “soon”.

Some researchers say Dragonforce is located in Malaysia, while others say Russia. Their emails to M&S mean they are from China.

In the early stages of M&S Hack, unknown sources told the internet news website that leaked computers showed evidence of scattered spiders.

The UK's National Cyber ​​Crime Department has confirmed to the BBC that the organization is one of their main suspects.

As for the hackers I talked to on the telegram, they refused to answer whether they were scattered spiders. They said "we won't answer this question".