DragonForce Ransomware Operators Hint at Ties to Russian Federation

A major UK retailer was recently hit by a damaging cyberattack carried out by the hacking group DragonForce, which has now drawn attention not just for the breach itself, but for a revealing political statement.  

In a message posted on a dark web forum, DragonForce warned other hackers not to use its ransomware against targets in Russia or any former Soviet states, calling such actions a “provocation” and vowing to punish violations. This stance strongly implies a close alignment—or even allegiance—with the Russian Federation.

The group claimed responsibility for the attack that forced the retailer to suspend its click and collect service and later admitted to targeting Co-op and stealing member data. DragonForce portrays itself as a “ransomware cartel” and operates a “white label” model, letting other hackers use its ransomware once inside a victim’s systems.

The same statement emphasized that the group is “not here to kill” but rather “to make money and do business,” further reinforcing the idea that they see themselves as organized cybercriminal entrepreneurs with boundaries—particularly when it comes to Russian geopolitical interests.

Investigators believe DragonForce’s tools, not those of its occasional affiliate Scattered Spider, were used in this breach. The group has claimed or been linked to 167 victims across 32 countries.

Takeaway: Let’s call it like it is: ransomware is a dual-purpose weapon. While crews like DragonForce are making money from their attacks, they are also doing Moscow’s dirty work at the same time.  

When a ransomware gang openly declares their tooling can’t be used against Russian infrastructure or former Soviet states and they threaten to “punish” anyone who crosses that line, they’re revealing the direct connection between ransomware and Russian state-sponsored operations.

This is the playbook: ransomware operators rake in millions while acting as proxy attackers for the Russian government. Meanwhile, the Kremlin gets to sit back with clean hands and deny everything.  

That’s the beauty of proxy attacks and plausible deniability. Russia gets an advantage by way of the disruption and chaos the attacks cause without ever signing their name to the attack.

And let’s be real, they aren’t always picking targets at random. They know that attacks on healthcare providers, critical infrastructure, schools and local governments cause a lot of worry amongst the public. These aren’t just high-value targets from a financial perspective, they’re also geopolitically strategic ones. That’s not a coincidence, that’s coordination.

So yeah, ransomware is still a business, but it’s also a powerful geopolitical tool. And the longer we treat it like just plain cybercrime instead of a national security threat, the more ground we lose in a shadow war we have yet to even admit is happening.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.