Scattered Spider Operative Charged in $115M Global Cybercrime Spree

British investigators have charged 19-year-old East London resident Talha Jubair, alleged to be linked with the Scattered Spider group. According to police and prosecutors, he took part in extortion campaigns against more than a hundred organizations and is tied to at least $115 million in cryptocurrency ransom payments. He was identified after a series of technical correlations, including the purchase of gift cards from a crypto wallet hosted on the same server that contained ransom-funded wallets.

Scattered Spider has been active since 2022: initially engaged in SIM-swapping, its members soon advanced to social engineering and data-encryption extortion. Last year, no fewer than seven suspects were arrested following high-profile attacks on Las Vegas casinos, and earlier this year the group was linked to intrusions into major retail chains. Alongside Jubair, 18-year-old Owen Flowers of Walsall also stands accused in the UK; both appeared in a London court in connection with a 2024 cyberattack on Transport for London.

Meanwhile, U.S. authorities have filed criminal charges. Acting U.S. Attorney Alina Habba stated that Jubair employed elaborate anonymization techniques and was involved in roughly 120 network intrusions, at least 47 of them against American organizations. Investigators, however, documented several operational security lapses that tied him back to the extortion infrastructure.

A key link was a cryptocurrency wallet server: funds from one address were used to buy gaming gift cards registered to Jubair’s account, as well as food delivery cards, with orders shipped to his residential complex — conclusively linking payments to his place of residence.

Documents unsealed Thursday by the U.S. Department of Justice describe conspiracies involving computer fraud, telecommunications fraud, and money laundering. The timeline spans May 2022 to the present and details not only corporate data encryption but also ransom demands leveraging stolen sensitive information.

Among the named victims was the U.S. federal judiciary. In early January, attackers following a typical Scattered Spider playbook contacted court IT support and engineered a password reset for one account. They then compromised two more accounts and extracted personal details of staff — including names, fifteen usernames, job roles, and mobile numbers. The stolen data was later used to access three mailboxes, one belonging to a federal magistrate. Search terms included “subpoena,” the surname of one indicted hacker, and the group’s own name. From one seized mailbox, a fraudulent request for urgent client data was sent to a financial institution.

Seven additional U.S. victims, anonymized as Company-1 through Company-7, included a manufacturer, an entertainment firm, two retailers, two financial entities, and a critical infrastructure operator. In each case, access was gained through social-engineering calls to support desks, followed by password resets, mass data exfiltration, and in some instances data encryption to increase pressure. In five incidents, victims collectively paid at least $89.5 million in bitcoin; the two largest ransoms were from banks, totaling over $25 million and $36.2 million.

Blockchain tracing led back to a node allegedly controlled by Jubair. During infrastructure seizures, agents confiscated roughly $36 million in cryptocurrency, though in July 2024 the suspect had already diverted around $8.4 million to another address.

Further evidence came from chats and files. In October 2023, via a Telegram account using the handle “Brad” and alias “autistic,” Jubair discussed attacks on around forty companies with an accomplice, noting that one victim was prepared to pay $25 million. Later that day, the payment was confirmed, and Jubair messaged his partner about distributing proceeds from two victims.

Blockchain records also revealed purchases of five gaming gift cards from one seized wallet, activity tied to a gamer profile accessed with credentials linked to Jubair’s apartment. Delivery-service records corroborated shipments to his residence, including orders in mid-May 2024.

Another alias, “Austin,” surfaced in server logs. In a conversation dated April 7, 2024, the user mentioned recently turning 18; checks confirmed Jubair’s birthday fell roughly three weeks earlier.

Analysts praised the coordination of law enforcement across the Atlantic. Adam Meyers, head of Counter Adversary Operations at CrowdStrike, remarked that these arrests would weaken Scattered Spider in the short term and demonstrated the effectiveness of intelligence-sharing between governments and the private sector: with concerted action, even well-resourced groups inflicting grave damage on global enterprises can be disrupted.

Jubair’s case epitomizes a common flaw in cybercriminal operations: meticulously crafted schemes collapse under the weight of everyday habits and the digital traces left behind by routine purchases.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy