UK & US Charge Alleged Scattered Spider Hackers

A significant international law enforcement operation has resulted in criminal charges against two individuals believed to be key members of the notorious Scattered Spider cybercrime group. Authorities in both the United States and United Kingdom have accused the suspects of involvement in a series of damaging cyber intrusions, including attacks on critical infrastructure and major corporate networks.

Thalha Jubair, a 19-year-old from East London, and Owen Flowers, an 18-year-old from Walsall, were taken into custody at their residences on September 16. The District of New Jersey unsealed charges against Jubair two days later, alleging his participation in wide-ranging conspiracies to commit computer fraud, wire fraud, and money laundering.

Operating under online aliases including “EarthtoStar,” “Brad,” and “Austin,” Jubair is accused of using sophisticated social engineering techniques to infiltrate the computer systems of numerous organizations. Court documents claim he was involved in at least 120 separate network intrusions targeting 47 U.S.-based entities, resulting in extortion payments exceeding $115 million.

Investigators traced portions of ransom payments from at least five victims to cryptocurrency wallets controlled by Jubair. In a notable incident from July 2024, he allegedly transferred approximately $8.4 million in cryptocurrency, funds originally obtained from a victim, to another wallet while law enforcement was actively seizing his server.

Both individuals also face charges in the UK related to an August 2024 cyberattack on Transport for London (TfL), which compromised sensitive personal data of approximately 5,000 customers. The breach exposed Oyster card refund information, including bank account numbers and sort codes, costing the transport authority an estimated £30 million in recovery expenses and operational losses.

Flowers was initially arrested on September 6, 2024, in connection with the TfL incident. Subsequent investigation by the National Crime Agency uncovered evidence implicating him in additional cyber offenses against U.S. healthcare providers, leading to further charges related to attempted network infiltration of SSM Health Care Corporation and Sutter Health.

Jubair faces an additional charge under the UK’s Regulation of Investigatory Powers Act for refusing to disclose passcodes for electronic devices seized during the investigation.

These arrests mark another blow to Scattered Spider, following the detention of four other suspected members by UK authorities in July 2025. That group, which included three teenagers, was linked to cyberattacks on major retailers including Marks & Spencer, the Co-op, and Harrods.

Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit, emphasized the importance of these charges, noting they represent a “key step” in a lengthy and complex multinational investigation. He highlighted the growing threat posed by UK-based cybercriminals, describing Scattered Spider as a clear example of this troubling trend.

Jake Moore, a global cybersecurity advisor at ESET and former police officer, acknowledged law enforcement’s improving success in identifying and prosecuting cybercriminals but cautioned that significant challenges remain. “Collecting enough solid evidence to produce in court is the most difficult aspect of any cybercrime investigation,” he noted, adding that suspects often minimize digital footprints, complic forensic efforts.

Although Scattered Spider and several other ransomware groups recently announced their “retirement,” security experts remain skeptical about the legitimacy of these claims. The investigation into Jubair and Flowers involved collaboration among agencies from the UK, U.S., Netherlands, Romania, Canada, and Australia, demonstrating the global effort required to combat sophisticated cybercrime networks.

(Source: NewsAPI Cybersecurity & Enterprise)