Scattered Spider Mastermind Arrested: US & UK Charge 19-Year-Old for $115M Ransom Spree
The U.S. Department of Justice and British police have brought charges against 19-year-old East London resident Talha Jubair, identified by investigators as one of the key figures in Scattered Spider—the group behind a series of extortion-driven cyberattacks targeting major corporations and government entities. According to case files, from May 2022 through September of this year, the attackers carried out no fewer than 120 intrusions, compromising 47 organizations in the United States, with total ransom payments exceeding $115 million. In London, a parallel case concerns the August 2024 attack on Transport for London, in which 18-year-old Owen Flowers is charged alongside Jubair.
The identification hinged on a trail of technical overlaps. Investigators traced ransom payments funneled through addresses linked to a server allegedly controlled by Jubair. On this node were stored cryptocurrency wallets used to purchase gaming gift cards and food delivery vouchers; orders were sent directly to his residential complex, and one gift card was tied to a gaming profile bearing his home address. Upon seizing the infrastructure, agents confiscated nearly $36 million in cryptocurrency, noting that substantial amounts had already been withdrawn from these wallets.
Jubair is attributed with a long history of cyber offenses. Between 2021 and 2022, he was reportedly active in LAPSUS$, operating under the aliases Amtrak and Asyntax, and earlier as Everlynn, a persona tied to the sale of fraudulent emergency data requests impersonating law enforcement. Internal disputes within LAPSUS$ eventually exposed his real identity in open Telegram chats.
Since 2022, using the pseudonym EarthtoStar, he co-managed Star Chat, a SIM-swapping hub. The group systematically launched phishing attacks against telecom employees—most frequently at T-Mobile—gaining access to internal tools and selling services such as call forwarding and email resets. Later that year, attackers leveraged fake Okta login portals and Telegram bots for real-time interception of two-factor authentication codes, compromising employees at hundreds of companies. The fallout included breaches at LastPass, DoorDash, Mailchimp, Plex, and Signal.
Evidence also connects him to the Exploit forum, where accounts RocketAce and Lopiu advertised access to U.S. telecom networks, phishing kits, malware loaders, and even Extended Validation certificates. By late 2022 and early 2023, within the English-speaking community Com, a suite of “IRL services” emerged—including coercive physical tactics up to and including robbery proposals—some linked directly to EarthtoStar. Concurrently, under the aliases Brad or Brad_banned, he promoted kernel-level malware development featuring persistence mechanisms, reverse shells, and claimed bypasses of enterprise defenses.
In September 2023, after attacks on MGM Resorts and Caesars Entertainment, Scattered Spider claimed responsibility. Access had been gained through social engineering of contractors. Caesars reportedly paid a $15 million ransom, while MGM endured prolonged outages resulting in heavy financial losses. In spring 2025, the anonymous Com Cast briefing tied Jubair to new pseudonyms—Clark, Miku, and Operator. The latter was credited with the takeover of Doxbin and the launch of an automated doxxing service.
DoJ filings further describe the January 2025 breach of the U.S. federal courts’ infrastructure: through social engineering of IT support, attackers forced a password reset, accessed two additional accounts, and exfiltrated staff personal data. One compromised mailbox was then used to pressure a financial institution into releasing sensitive client records. Similar tactics recurred across industries—from manufacturing and entertainment to retail, finance, and critical infrastructure: deceive help desks, reset credentials, exfiltrate data, sometimes encrypt systems, and then negotiate either decryption or suppression of stolen datasets. In at least five cases, victims transferred no less than $89.5 million in Bitcoin, with the largest payments coming from banks.
Telegram banned Star Chat in March 2025, but according to investigators, operations continued until September. Certain episodes overlap with the case against Flowers and with the prosecution of Noah Urban, who has already received a 10-year prison sentence in the United States. Analysts note that Scattered Spider’s recruitment of minors creates legal loopholes that complicate prosecutions, but coordinated action between government agencies and the private sector on both sides of the Atlantic is steadily eroding the group’s operational base.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
