Pair of Suspected Scattered Spider Hackers Charged by UK, US Authorities

In a significant development in the ongoing battle against cybercrime, two suspected members of the infamous Scattered Spider group have been charged by authorities in both the United States and the United Kingdom. Thalha Jubair, 19, from East London, and Owen Flowers, 18 from Walsall, were arrested at their home addresses on September 16 and are now facing charges connected to multiple high-profile cyber-attacks.

The pair have been linked to attacks on US courts, a US critical infrastructure firm, and the UK's Transport for London (TfL). According to the charges, Jubair, also known as "EarthtoStar," "Brad," "Austin," and "@autistic," conspired with others to use social engineering techniques to gain unauthorized access into the computer networks of victim companies.

Jubair is accused of participation in at least 120 computer network intrusions and extortion involving 47 US entities. It is believed that victims paid at least $115m in ransom payments to Jubair and his associates. Portions of the ransom payments from at least five victims were sent to wallets on a server controlled by Jubair, highlighting his role as a key player in the group's operations.

In July 2024, Jubair was observed transferring a portion of cryptocurrency that originated from one of the victims, worth approximately $8.4m at the time, to another wallet, while law enforcement was in the process of seizing the server. This move suggests that Jubair and his associates were attempting to launder their illicit gains.

The arrests and charges against Jubair and Flowers followed a collaborative investigation between law enforcement agencies in the UK, the US, the Netherlands, Romania, Canada, and Australia. The two teenagers have also been charged by UK authorities with offenses connected to the August 2024 cyber-attack on TfL, which impacted sensitive personal data of around 5000 customers.

Flowers was initially arrested on suspicion of involvement in the TfL hack on September 6, 2024, while aged 17. He has since been charged with conspiring to commit unauthorized acts against TfL under the Computer Misuse Act and appeared in Westminster Magistrates Court on September 18.

Jubair has also been charged with failing to disclose the pin or passwords for devices seized from him, under the UK's Regulation of Investigatory Powers Act (RIPA). The TfL hack reportedly cost the transport operator around £30m ($40.6m), including £5m ($6.7m) on external support to recover from the incident.

The charges against Flowers and Jubair follow the arrests of four other suspected members of Scattered Spider by UK authorities in July 2025. The four individuals, three of whom were teenagers at the time of the arrest, are suspected of involvement in the April 2025 attacks on Marks & Spencer, the Co-op, and Harrods.

Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, described the charges against Jubair and Flowers as a "key step" in a "lengthy and complex investigation." He noted that earlier this year, the NCA warned of an increase in the threat from cybercriminals based in the UK and other English-speaking countries.

Jake Moore, global cybersecurity advisor at ESET and former UK police officer, highlighted the growing success of law enforcement in identifying and collecting evidence to prosecute cybercriminal actors. However, he warned that there may still be significant challenges in this process, particularly in tracking down evidence left by sophisticated groups like Scattered Spider.

"Collecting enough solid evidence to produce in court and prosecute is the most difficult aspect in any cybercrime investigation," Moore noted. "It is highly likely that these members of the gang will have reduced their evidence and communication trails down to a bare minimum, if at all, which will cause frustrations in the investigation."

Earlier in September, it was reported that Scattered Spider, along with 14 other ransomware groups, had announced their "retirement." However, these announcements have been met with skepticism by security experts.