He is 19 years old, with hundreds of attacks and millions in extortion to his name: The face of Scattered Spider is revealed
A teenage hacker from London was caught after ordering a pizza.
A teenage hacker from London was caught after ordering a pizza.
British investigators have brought charges against 19-year-old East London resident Talha Jubair, who is linked to the Scattered Spider group. According to police and prosecutors, the suspect participated in extortion attacks on more than a hundred organizations and is connected to at least $115 million in cryptocurrency payments. Investigators found his trail through a series of technical coincidences, including purchases of gift cards from a crypto address on a server that also hosted wallets receiving ransom payments.
Scattered Spider has been known since 2022: initially, its members engaged in SIM-swapping before moving on to social engineering and data encryption followed by extortion. Last year, at least seven suspects were detained following high-profile attacks on Las Vegas casinos, and this spring the group was blamed for hacks on major retail chains. Alongside Jubair, 18-year-old Owen Flowers from Walsall is also involved in the case in the UK; both appeared in a London court for an episode related to a cyberattack on Transport for London in 2024.
Simultaneously, criminal charges have been announced in the US. Acting US Attorney Alina Habba stated that the suspect took complex anonymization measures and participated in approximately 120 network intrusions, including at least 47 cases targeting American organizations. However, the investigation managed to document a number of operational security errors that linked the suspect to the extortionists' infrastructure.
A key coincidence concerns a server with cryptocurrency wallets: some funds from one of the addresses were spent on gaming gift certificates linked to an account in Jubair's name, as well as on cards for a food delivery service. The orders were delivered to the address of his residential complex, which confirmed the link between the payments and his place of residence.
Materials disclosed by the US Department of Justice on Thursday describe conspiracies to commit computer fraud, wire fraud, and money laundering. The timeline spans from May 2022 to the current month and includes not only the encryption of corporate data but also extortion attempts threatening the leak of confidential information.
The list of victims explicitly names the US federal court system. In early January, the attackers, following a typical Scattered Spider script, contacted the service support of the court network and managed to reset the password for one of the accounts. After this, two more accounts were hijacked, and personal details of employees—including names, fifteen usernames, job roles, and mobile numbers—were extracted from the infrastructure. The compromised data was then used to access the mailboxes of three individuals, one of whom was a federal magistrate. Searches were conducted for terms like "subpoena," the surname of one of the accused cybercriminals, and the name of the group itself. From one of the compromised mailboxes, a request was also sent to a financial organization demanding the urgent disclosure of client information.
Seven other American victims are designated in the documents as Company-1 through Company-7. Among them are a manufacturer, an entertainment company, two retailers, two financial structures, and a critical infrastructure enterprise. In all episodes, access was gained by deceiving support services to reset an employee's password, followed by data exfiltration, sometimes supplemented with encryption for added pressure. The attackers then demanded money for decryption or a promise not to publish the stolen data. In five cases, the victims transferred at least $89.5 million in Bitcoin in total; the two largest payments came from banks—equivalents of over $25 million and $36.2 million.
Some of the fund flows from the victims' addresses were traced to a node that, according to the FBI, was controlled by Jubair. During the infrastructure seizure, agents confiscated approximately $36 million in cryptocurrency from wallets on this server, though the suspect had managed to transfer about $8.4 million to another address in July 2024.
Additional evidence came from correspondence and files. In October 2023, via a Telegram account with the handle "Brad" and the pseudonym "autistic," he discussed attacks on about forty companies with an accomplice and reported that one victim was ready to transfer twenty-five million. Later that same day, the corresponding payment was indeed made, after which the suspect notified his partner about the distribution of proceeds from two companies.
Blockchain tracing showed that five gaming certificates were purchased from one of the seized addresses. This activity led to a gamer profile accessed using credentials registered to Jubair's apartment. Information from the delivery service confirmed orders delivered to his residential complex, including in mid-May 2024.
Correspondence found on the server also contained another pseudonym—"Austin." In a conversation dated April 7, 2024, a user under this name mentioned recently turning eighteen; a check revealed that Jubair's birthday had indeed occurred about three weeks prior to that date.
Analysts positively assessed the coordination of law enforcement on both sides of the Atlantic. According to Adam Meyers, head of Counter Adversary Operations at CrowdStrike, the arrests will weaken Scattered Spider in the near term and demonstrate the effectiveness of data sharing between government agencies and businesses: coordinated actions can disrupt groups inflicting serious damage on international companies.
Jubair's story illustrates a typical flaw of cybercriminals: a carefully constructed scheme collapses due to everyday habits and traces left by routine purchases on digital services.
