Marks & Spencer (M&S) CEO Stuart Machin allegedly received a direct and abusive email from the cyber gang DragonForce, gloating about the retailer’s recent IT breach and demanding a ransom.

The email, sent on 23 April, confirms for the first time that the high street retailer was targeted by a ransomware group, something the business has not yet publicly acknowledged.

The message, seen by the BBC, was sent using the email account of an M&S employee employed by IT contractor Tata Consultancy Services (TCS).

In broken English, the hackers wrote: “We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers.

“The dragon wants to speak to you so please head over to [our darknet website].”

It is understood that the message was sent to Machin and seven other senior executives. It included racist language and claimed to have installed ransomware across M&S systems and stolen data from millions of customers.

M&S first reported the cyber attack over the Easter bank holiday, but only confirmed weeks later that customer data may have been accessed. The company has not confirmed whether a ransom has been paid.

Subscribe to Grocery Gazette for free

Sign up here to get the latest grocery and food news each morning

The email appears to have been sent using the account of a London-based TCS employee, who has an M&S email address. TCS is investigating whether its systems were used as a way into M&S’s network, but told the BBC the message was not sent from its platform and that it was not linked to the breach.

A link in the message directed recipients to a darknet site used by DragonForce for ransom negotiations. The hackers also referenced M&S’s cyber insurance policy, adding:

“We know we can both help each other handsomely : ))”. The note ended with an image of a fire-breathing dragon.

Elsewhere, the group has also claimed responsibility for a similar cyber attack on Co-op, which disrupted supply and left shelves empty across stores. M&S has said it expects its online operations to be affected until July.

Security experts say DragonForce allows criminals to join their network and use their ransomware tools in exchange for a 20% share of any ransom collected. However, some sector experts believe the group may be based in Malaysia or Russia, the email sent to M&S implied links to China.

Speaking to the BBC, Two individuals linked to the attacks the publication they wanted to be known as “Raymond Reddington” and “Dembe Zuma”, characters from the TV series The Blacklist, and added: “We’re putting UK retailers on the Blacklist.”

The National Crime Agency is continuing to investigate. M&S has been contacted for comment.