Ransomware gang takes credit for hacking Belk in May 2025, report says
A notorious ransomware organization known as "DragonForce" is reportedly taking public credit for a recent breach of Belk Inc.’s systems.
According to a note from U.K. security software company Comparitech, DragonForce announced on a data leak site it operates that it was behind a May 2025 cyberattack on Belk that exposed roughly 156 GB of the regional department store chain’s corporate data.
In a letter Belk sent to an unspecified number of affected customers, the retailer said it was hit by a a "cyber incident in which an unauthorized actor gained access to certain corporate systems and data," including customer names and Social Security numbers, between May 7-11, 2025.
After discovering the incident May 8, 2025, Belk said it began working with external cybersecurity experts and law enforcement to determine the source and scope of the attack and took “immediate steps” to stop the cyberattack and secure its systems and data.
Belk also said in the letter it will pay for customers affected by the breach to enroll in a complimentary 12-month credit monitoring service provided by Epiq Privacy Solutions ID, which includes credit monitoring, dark web monitoring, identity restoration, and up to $1 million identity theft insurance.
The retailer’s containment and remediation actions included restricting network access, blocking known compromise indicators resetting passwords, rebuilding affected servers and endpoints, and deploying additional security tools.
Compaitech said in its note that it does not know if Belk paid a ransom, how much ransom DragonForce asked for, or how the group obtained access to the retailer’s systems. Comparitech has contacted Belk for comment.
According to Comparitech, DragonForce began publicly claiming responsibility for cyberattacks in December 2023. It operates a “ransomware-as-a-service” business where other criminals pay to use its malware and then follows up collect fees in order to release victims’ systems from the ransomware and not share exposed data.
DragonForce has reportedly taken credit for 38 ransomware attacks that have been acknowledged by the hacked companies and another 166 incidents that the affected companies have not confirmed.
In another high-profile retail ransomware attack, Ahold Delhaize USA suffered a ransomware attack in November 2024, possibly by a criminal group known as Inc., which was disclosed in April 2025.
[READ MORE: Ahold Delhaize USA breach exposes data from 2 million people]
That breach exposed personal data including names, Social Security numbers, financial account information including bank account numbers, health information including worker’s compensation, employment-related information, government-issued ID numbers such as passports and driver’s licenses, postal addresses, email addresses, phone numbers and dates of birth.
In comments emailed to Chain Store Age, Rebecca Moody, Head of Data Research at Comparitech, said it’s no surprise a large retailer like Belk was targeted by DragonForce.
"Belk appears to have suffered significant system disruption and data theft at the hands of DragonForce," Moody said in the email. "However, unlike U.K. retailers Marks & Spencer, the Co-operative Group, and Harrods (also believed to be DragonFoce victoms), Belk has actually been added to DragonForce's data leak site."
Moody said that Belk’s addition to the site possibly suggests that Belk may not have paid ransom, at least in relation to the stolen data, and that this could be a "significant" breach.
Charlotte-based Belk Inc., a privately-owned department store, operates nearly 300 Belk and Belk Outlet locations across 16 Southeastern states and digitally through its e-commerce site and mobile app.
