Federal prosecutors charged a UK teenager with conspiracy to commit computer fraud and other crimes in connection with the network intrusions of 47 US companies that generated more than $115 million in ransomware payments over a three-year span.
A criminal complaint unsealed on Thursday (PDF) said that Thalha Jubair, 19, of London, was part of Scattered Spider, the name of an English-language-speaking group that has breached the networks of scores of companies worldwide. After obtaining data, the group demanded that the victims pay hefty ransoms or see their confidential data published or sold.
Bitcoin paid by victims recovered
The unsealing of the document, filed in US District Court of the District of New Jersey, came the same day Jubair and another alleged Scattered Spider member—Owen Flowers, 18, from Walsall, West Midlands—were charged by UK prosecutors in connection with last year’s cyberattack on Transport for London. The agency, which oversees London’s public transit system, faced a monthslong recovery effort as a result of the breach.
Both men were arrested at their homes on Thursday and appeared later in the day at Westminster Magistrates Court, where they were remanded to appear in Crown Court on October 16, Britain’s National Crime Agency said. Flowers was previously arrested in connection with the Transport for London attack in September 2024 and later released. NCA prosecutors said that besides the attack on the transit agency, Flowers and other conspirators were responsible for a cyberattack on SSM Health Care and attempting to breach Sutter Health, both of which are located in the US. Jubair was also charged with offenses related to his refusal to turn over PIN codes and passwords for devices seized from him.
The attack on Transport for London resulted in outages of the agency’s internal services and online services but not its transportation services. The attackers also made off with the personal data of an unknown number of customers.
The US Justice Department, meanwhile, said that Jubair was part of a conspiracy that conducted 120 cyberattacks on 47 US companies, none of which were named. The complaint said that five of the victims alone paid Scattered Spider $89.5 million in bitcoin.
After accessing servers under Jubair’s control, the criminal complaint said, investigators found bitcoins that a blockchain analysis determined had been paid by victims. In all, Jubair faces US charges of computer fraud conspiracy, computer fraud, wire fraud conspiracy, wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison. There are no details on planned extradition or scheduled court dates.
“It didn’t feel good talking to her”: Animal communicator shares story of speaking to a “demonic” cat. It’s not quite that simple