The Spider Team Hacker: How a UK Man Stole 4 Million Passwords
A hacker who targeted websites across North America, Yemen, and Israel, stealing the credentials of millions of users, has been sentenced to prison.
26-year-old Al-Taheri Al-Mashriki, from Rotherham, South Yorkshire, was arrested in August 2022 by the UK’s National Crime Agency (NCA), acting on intelligence provided by U.S. law enforcement. His activities were linked to the radical groups “Spider Team” and the “Yemen Cyber Army.”
NCA investigators traced Al-Mashriki’s ties to the Yemen Cyber Army through his social media and email accounts. Forensic analysis of his laptop and mobile devices revealed intrusions into websites belonging to the Yemeni Ministry of Foreign Affairs, the Ministry of Security, and an Israeli news outlet. The breaches were marked by the creation of hidden pages carrying his aliases and propaganda messages.
The hacker favored poorly secured websites, gaining notoriety in the cybercriminal underground for the sheer volume of his attacks. On one forum, he boasted of compromising over 3,000 websites in just three months of 2022. Yet, NCA forensics uncovered an even greater scale: his laptop contained stolen data from more than 4 million Facebook users, along with databases of logins and passwords for services such as Netflix and PayPal.
In February 2022, he fully mirrored the website of Israel’s Live News, obtaining access to administrative pages. Additional breaches targeted Yemeni government platforms, where he employed vulnerability scanners and tools to harvest usernames. Religious websites in Canada and the United States were also attacked, as well as the site of the California Water Resources Board.
Working with international partners, the NCA gathered testimony from victim organizations, which reported severe financial losses and damage to critical infrastructure. The agency stressed that the defendant’s actions disrupted the functioning of targeted websites and endangered millions of users.
Al-Mashriki was set to stand trial in Sheffield on ten counts under the Computer Misuse Act, but on March 17 he pleaded guilty to nine of them. On August 15, he was sentenced to 20 months in prison.
