As the months grow colder and the nights grow longer, many of us expect the return of our eight-legged friends who seek refuge in our homes, some getting spooked when they stumble upon them unexpectedly.
However, spider season started a little earlier this year – and these ones caused a lot more damage than a few jump scares.
The Scattered Spider took responsibility for the cyber-attack on Marks & Spencer’s (M&S) in April 2025, where the security breaches are estimated to have a total financial impact of up to £440 million.
However, they used malware from the US ransomware group Dragon Force, meaning that the US may claim they have a ‘special interest’ in the matter.
This raises the key question: Should the suspects be tried in the UK or extradited to the US?
Who’s who?
The Scattered Spider is a UK hacking group that formed in May 2022 and is mostly made up of teens and young adults. They specialise in a ‘social engineering’ style of hacking, where they trick companies into handing over sensitive data, including user credentials and bypassing multifactor authentication, and gaining access to company data.
The Dragon Force Ransomware operates a Ransom-As-A-Service (RaaS) organisation, where they lease their malware to clients – often through the dark web – and take a cut of the ransom. They are reported to take a multi-extortion approach, making them one of the more dangerous RaaS providers on the market.
The Dream Team: Hacking M&S
The Scattered Spider started the operation in February 2025 by gaining access through their ‘social engineering tactics’. They impersonated an IT Helpdesk employee to trick a third-party contractor – Tata Consultancy Services – into revealing passwords and hence gaining system access.
Once they had the file containing employee password hashes, they used Dragon Force Ransomware to encrypt critical systems that took down the M&S website and stopped the processing of online orders.
Spiders and Dragons make a pretty nefarious team after all.
… Until they didn’t
Four young people between the ages of 17- 20 were arrested in connection with the M&S cyberattack.
Paul Foster, head of the National Cyber Crime Unit, has commented that this is a ‘significant step’ in the investigation.
However, he notably said that their ‘work continued, alongside partners in the UK and overseas, to ensure that those responsible are identified and brought to justice’, already hinting towards the fact that extradition matters may be at play.
The Question of Borders
While Cybercrime rarely respects borders, law enforcement does.
The suspects may be UK nationals, but the US has a ‘clear interest’ as Dragon Force Ransomware is a US group that has many US victims. Therefore, the US may look to request that these individuals are extradited to the US for prosecution.
Extradition is the legal process where ‘one country asks another to return a person in order to stand trial or to serve a sentence’. This process is governed by the Extradition Act 2003.
Under the legislation, the US would fall into Part 2 (Category 2 Countries), which are non-EU states with bilateral treaties. An extradition request made by a foreign state is sent to the Home Secretary.
If it is valid, the Magistrates Court will then consider a range of Bars (S.79 Extradition 2003) when involving a Category 2 state, as well as safeguards including Articles 3, 6, 8 ECHR.
Ultimately, the decision comes down to the Home Secretary, who will be subject to judicial review.
The Forum Bar (s.83A, Extradition Act 2003)
One of these Bars is the Forum Bar (S.83A).
This was introduced in 2013 following a number of high-profile cases. It allows the UK courts to block extradition if a ‘substantial measure’ of the alleged criminal activity occurred in the UK, and if a UK trial would be in the interests of justice, subject to the matters listed under s.83A(3)(a)–(g).
Its first successful application was in the precedent-setting case of Love v United States of America [2018] EWHC 172], where Lauri Love was a UK hacker who resisted extradition to the US on the basis that it would be “oppressive by reason of his physical and mental condition” and that the Forum Bar test was met.
The appeal found that Mr Love’s ‘connections to the UK’ (s. 83A(3)g) should have been treated as the most weighty and decisive, which included:
- his mental health disorder;
- overwhelming reasons for justice and humanity; and
- ‘The compelling reasons that conduct committed in the UK by a British citizen should be punished in accordance with our own values and standards of proportionality in sentencing.’ (18, Love v USA, 2018)
Therefore, while the Forum Bar may have ‘encountered criticism‘ as to the perceived imbalance in the extradition activity between the US and UK’, it has remained a key part of the UK Extradition legislation.
Will the Spiders be sent to the US?
If the US seeks extradition of the UK-based suspects, the defence lawyers will likely lean on the Love v US precedent and look to use the same factors.
They may argue that the conduct was substantially based in the UK, the evidence is available in the UK via the M&S servers and UK arrest seizures, there are strong connections through family ties, and the victims are mainly UK-based.
The US, however, may counter by focusing on the DragonForce syndicate and frame the Scattered Spider attacks as being part of an organised international crime group, rather than solely an operative UK. Moreover, they may further push back to say a single US trial would be in the global interest, as they could capture the wider web of the Scattered Spider and provide a strong deterrence against cyber organisations that operate across borders.
To Be Continued…
There aren’t any updates on the matter yet, but we will be closely following the developments on this case to ensure that our lawyers are in working with the most up to date principles when helping clients on their extradition and cybercrime matters.
As for now, we hope that Spiders and Dragons remain predominantly on our TV screens – and not in our servers.
How Can We Help If You Are Facing A Criminal Allegation of Cyber Hacking?
If you are currently facing extradition or have been charged with a cybercrime matter, we are here to help.
Our highly respected team of specialist lawyers defend cyber-crime and hacking cases, and we are currently advising on two of the most high profile corporate cyber hacking cases at present.
Unlike other firms, we have genuine in-depth experience of such investigations and have gathered a team of the best barristers, cyber security analysts, and forensic accountants to support our clients. Our lawyers have been ranked in the leading legal ranking directories and in The Times’ Best law firms for many years, and we have an excellent overall success rate.
You can reach out to us by calling 020 7387 2032 or by sending an online enquiry here.