In a significant legal development, U.S. prosecutors recently filed criminal charges against Thalha Jubair, a 19-year-old from the U.K., in connection with his alleged involvement as a central figure in Scattered Spider, a notorious cybercrime organization implicated in extortion schemes totaling over $115 million. These accusations, which emerged as Jubair appeared in a London courtroom alongside another suspect, include allegations of hacking and extorting major U.K. retailers and U.S. healthcare providers.
During last week’s court proceedings, U.K. officials presented a range of charges against Jubair and his alleged accomplice, Owen Flowers, also a teenager. The charges are linked to a cyberattack in August 2024, which significantly disrupted the operations of Transport for London, the city’s public transport authority. The prosecution painted a picture of a sophisticated operation targeting sensitive infrastructure and commercial entities.
Sketch of Owen Flowers (left) and Thalha Jubair during their court appearance.
The investigation into the activities of Jubair and Flowers led to their arrests in July 2025, following their alleged involvement in ransom attacks targeting well-known retailers such as Marks & Spencer and Harrods. Reports indicate that Jubair interacted with the media shortly after a series of ransomware attacks in September 2023 that affected Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.
Prosecutors assert that Jubair has a lengthy history in cybercrime, marked by his previous affiliation with the LAPSUS$ group, which infiltrated numerous technology giants, including Microsoft and Uber, stealing sensitive data and source code. During the group’s operations, Jubair reportedly used aliases such as Amtrak and Asyntax, emphasizing his deep involvement in cyber intrusions and extortion.
In addition to his previous operations, prosecutors highlighted that Jubair was associated with a threat actor group also identified as 0ktapus and UNC3944, where he used various handles including EarthtoStar. This affiliation was particularly concerning as it involved orchestrating SIM-swapping attacks, including a series that targeted employees of major telecom companies in both the U.S. and the U.K. The group exploited voice and SMS phishing to gain unauthorized access to confidential accounts.
The allegations against Jubair and his co-conspirators incorporate several MITRE ATT&CK adversary tactics such as initial access through social engineering, exploitation of credentials for persistence, and subsequent privilege escalation during their attacks. For instance, their reported use of phishing was evident in a mass SMS campaign executed in the summer of 2022, targeting numerous sectors, and successfully compromising the data of hundreds of employees across multiple organizations.
In a more alarming turn, reports from New Jersey prosecutors detailed an even broader array of illicit activities, underscoring vulnerability within the cyber defense frameworks of many companies. The investigation revealed that Jubair’s operations not only relied on traditional hacking techniques but also involved a sophisticated understanding of the telecommunications landscape, raising additional concerns for businesses reliant on these infrastructures.
As the legal proceedings continue, Jubair faces serious charges both in the U.K. and the U.S., including conspiracy to commit fraud and money laundering, with a potential maximum penalty of 95 years in prison if extradited. In light of these revelations, business owners are advised to revisit their cybersecurity protocols and ensure robust defenses against similar cyber threats.
