A British teenager has been charged in the United States for his alleged central role in the Scattered Spider cybercrime group, a notorious gang accused of extorting at least $115 million from over 100 organizations. According to court documents, investigators tracked the 19-year-old after he allegedly used cryptocurrency from ransom payments to purchase gift cards for video games and food deliveries sent to his home address.
Key Takeaways
- Thalha Jubair, 19, of East London, faces US charges for conspiracy to commit computer fraud, wire fraud, and money laundering.
- The Scattered Spider group is accused of extorting over $115 million through ransomware and data theft from at least 120 organizations.
- Investigators linked Jubair to the crimes after he allegedly used stolen funds to buy gaming gift cards and order food to his apartment.
- The FBI has seized approximately $36 million in cryptocurrency allegedly controlled by Jubair.
- The group's targets included the U.S. federal court system, financial institutions, and critical infrastructure companies.
US Charges Unsealed Following UK Arrest
Thalha Jubair, 19, was arrested in the United Kingdom alongside 18-year-old Owen Flowers of Walsall. While the two appeared in a British court for their alleged involvement in a cyberattack on Transport for London, Jubair faces separate and extensive charges in the United States.
On Thursday, the U.S. Department of Justice unsealed a criminal complaint detailing Jubair's alleged activities. Acting U.S. Attorney Alina Habba stated that Jubair "went to great and sophisticated lengths to keep himself anonymous" while participating in widespread cyberattacks.
The complaint accuses Jubair of involvement in approximately 120 network intrusions between May 2022 and September 2025. At least 47 of these targeted organizations were based in the United States.
Who is Scattered Spider?
Scattered Spider, also known as UNC3944, is a cybercrime group that emerged around 2022. Initially known for SIM-swapping attacks, the group evolved its methods to include sophisticated social engineering and ransomware deployment. Their primary tactic involves impersonating employees to trick IT helpdesks into resetting passwords and granting them network access.
A Trail of Digital Crumbs
Despite efforts to maintain anonymity, investigators uncovered critical mistakes that allegedly linked Jubair directly to the criminal enterprise. The most significant error involved the use of cryptocurrency from wallets containing ransom payments for personal purchases.
According to the criminal complaint, funds from a server allegedly controlled by Jubair were used to buy gift cards for a gaming company and a food delivery service.
The gaming gift cards were redeemed on an account registered in Jubair's name and associated with his home address. Similarly, the food delivery gift cards were used for an account that placed orders delivered to Jubair's apartment complex as recently as May 2024.
$89.5 Million in Ransom Paid: Court documents detail how five of the U.S. victim companies paid ransoms totaling at least $89.5 million in bitcoin. Two financial institutions made the largest payments, equivalent to over $25 million and $36.2 million at the time of the transactions.
Incriminating Online Chats
Further evidence cited in the complaint includes recovered online communications. In one instance from October 2023, an individual using the Telegram handle "@autistic" and the name "Brad"—allegedly Jubair—discussed an imminent $25 million ransom payment from a victim company.
"they're getting the btc now," the user allegedly wrote to a co-conspirator. The complaint notes that shortly after this message, the victim company paid a ransom of approximately $25 million.
In another conversation from April 2024, a user with the moniker "Austin," another alleged alias, told someone he had "turned 18 three weeks ago." Investigators noted that this timeline matched Jubair's 18th birthday.
High-Profile Targets and Tactics
The court filings reveal the scale and audacity of the attacks attributed to Scattered Spider. The victims spanned multiple sectors, including manufacturing, entertainment, retail, finance, and critical infrastructure.
One of the most prominent victims named in the complaint is the United States federal court system. In January 2025, the group allegedly gained access to the court's network by tricking a helpdesk into resetting a user's password.
Once inside, they allegedly compromised additional accounts, including that of a federal magistrate judge. They then searched the judge's email inbox for sensitive terms like "subpoena," "scattered spider," and the name of another charged cybercriminal.
The Standard Operating Procedure
The attack on the court system followed the group's typical playbook:
- Social Engineering: The attackers contact an organization's IT helpdesk, impersonating an employee to request a password reset.
- Network Infiltration: Using the newly acquired credentials, they gain access to the corporate network.
- Data Exfiltration: They steal sensitive corporate and customer data.
- Ransom Demand: The group then extorts the victim, threatening to release the stolen data unless a ransom is paid, often in cryptocurrency. In some cases, they also deployed ransomware to encrypt the victim's systems.
Law Enforcement and Industry Reaction
The arrests have been met with approval from cybersecurity experts, who view them as a significant step in combating a highly disruptive group. The FBI's investigation successfully traced cryptocurrency transactions and seized approximately $36 million in digital assets from wallets on the server allegedly controlled by Jubair.
Adam Meyers, Head of Counter Adversary Operations at cybersecurity firm CrowdStrike, called the law enforcement action "a significant blow to one of the most disruptive eCrime groups operating today."
"This coordinated law enforcement action will likely degrade Scattered Spider's operations in the near term," Meyers stated. "More importantly, it sends a message: cybercriminals who aggressively extort and disrupt are not beyond reach. This isn't just about arrests — it demonstrates the impact of strong public-private collaboration."
The case highlights a recurring theme in cybercrime investigations: even technically sophisticated actors can be undone by simple operational security failures. For Jubair, the desire for video games and a delivered meal may have provided the final clues needed for his identification and arrest.
