In a landmark moment for international cybersecurity enforcement, two young British men appeared before a London court this week, marking a significant victory against "Scattered Spider," a prolific and destructive cybercrime syndicate that has terrorized global corporations and public infrastructure for years.
Thalha Jubair, 20, of East London, and 18-year-old Owen Flowers of Walsall, entered guilty pleas on the first day of what was originally scheduled to be a six-week trial. The duo admitted to a litany of charges, including conspiring to commit unauthorized acts against the computer systems of Transport for London (TfL)—the backbone of the Greater London public transit network—and causing a substantial risk to human welfare. Their admission of guilt brings a swift, if somber, conclusion to a legal saga that underscores the growing sophistication of juvenile-led cybercrime rings.
The August 2024 TfL Crippling
The August 2024 attack on Transport for London served as a stark reminder of the vulnerability of modern urban infrastructure. By infiltrating the agency’s internal networks, Jubair and Flowers effectively paralyzed the digital operations of one of the world’s most complex transit systems. The intrusion disrupted ticketing, real-time travel updates, and internal administrative workflows, causing chaos for millions of commuters and raising alarm bells regarding the security of critical national infrastructure.
Prosecutors highlighted that the damage went beyond mere technical disruption; the attack posed a legitimate threat to human welfare by destabilizing the logistical heartbeat of a major global city. The guilty pleas from Jubair and Flowers confirm that the duo were not peripheral actors, but core members of the Scattered Spider collective—a group that has transitioned from opportunistic social engineering to high-stakes, multi-million-dollar ransomware operations.
A Chronology of Digital Deceit
The rise and eventual prosecution of these individuals offer a chilling timeline of rapid escalation.
The 2022 Phishing Spree
Before their notoriety in the ransomware world, Jubair and his associates were central figures in a mass SMS phishing campaign that took place in the summer of 2022. Using a sophisticated infrastructure, the group targeted employees across hundreds of companies, harvesting single sign-on (SSO) credentials. This campaign resulted in the breach of over 130 organizations, including high-profile tech entities like LastPass, DoorDash, Mailchimp, Plex, and the secure messaging service Signal.
The Rise of "Star Chat" and SIM Swapping
Central to Jubair’s operational history was the management of "Star Chat," a Telegram-based hub for cybercriminals. The group specialized in SIM-swapping—a method of hijacking a target’s phone number to bypass multi-factor authentication (MFA). By compromising internal employee tools at major telecommunications providers, the group could intercept one-time codes, effectively handing them the "keys to the kingdom" for their victims’ corporate accounts.
The "Everlynn" Era
Records reveal that as early as age 15, Jubair—operating under the handle "Everlynn"—was already crafting malicious social engineering schemes. One of his signature tactics involved the sale of fraudulent "emergency data requests." By spoofing police and government email addresses, he coerced tech companies into turning over sensitive user data—such as IP addresses and account details—by framing the requests as life-or-death emergencies.
The 2023 Casino Disruptions
Owen Flowers, the younger of the two defendants, is widely identified by security researchers as the individual who acted as the media mouthpiece for the group following the September 2023 ransomware attacks on MGM Resorts and Caesars Entertainment. These attacks, which crippled the Las Vegas gaming industry for days, were a turning point for Scattered Spider, proving they could hold massive, publicly traded companies hostage.
Supporting Data: The Cost of Chaos
The financial impact of Scattered Spider is staggering. According to a U.S. indictment unsealed in September 2025, the group’s activities between May 2022 and September 2025 involved at least 120 separate network intrusions across 47 U.S. entities.

- Ransom Totals: Victims of the group are estimated to have paid at least $115 million in ransom demands.
- Cryptocurrency Theft: Co-conspirators, including the already-convicted Tyler "Tylerb" Buchanan, utilized harvested credentials to siphon at least $8 million in cryptocurrency from victims.
- Global Reach: The group’s portfolio of victims reads like a Fortune 500 list, ranging from British retail giants like Marks & Spencer, Harrods, and the Co-op Group to U.S.-based healthcare providers like SSM Health Care Corporation and Sutter Health.
Official Responses and International Cooperation
The prosecution of Jubair and Flowers is a testament to the seamless collaboration between the UK’s National Crime Agency (NCA) and the U.S. Department of Justice.
The U.S. legal system is far from finished with these defendants. Jubair remains under indictment in New Jersey, where he faces charges of computer fraud, wire fraud, and money laundering. These charges stem from the vast web of intrusions that define the Scattered Spider legacy.
In parallel, the U.S. Department of Justice continues to pursue other key members of the organization. Defendants such as Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans are still awaiting their day in court. This multi-jurisdictional approach reflects a growing international consensus: cybercrime, particularly when it targets critical infrastructure, will be met with the full force of the law, regardless of borders.
Implications for Global Cybersecurity
The sentencing of Jubair and Flowers, scheduled for July 15, 2026, marks the end of a chapter, but the broader implications for the cybersecurity landscape remain profound.
1. The Death of "Immunity"
The arrest and conviction of these young hackers signal to other cybercriminals that age and geography provide no shield. For years, groups like Scattered Spider operated with a sense of impunity, believing their digital masks were impenetrable. The successful tracking and identification of these individuals by law enforcement demonstrate that even the most tech-savvy attackers leave a trail—be it through financial transactions, server logs, or interpersonal chatter.
2. The Vulnerability of MFA
The group’s success in bypassing multi-factor authentication through SIM-swapping and SMS phishing has forced a massive industry-wide re-evaluation of security protocols. Corporations are now being urged to move away from SMS-based authentication in favor of hardware security keys and more robust, non-phishable MFA solutions.
3. The Rise of "Cyber-Terrorism" Definitions
The charges brought against the duo for causing a "risk of serious damage to human welfare" represent a shift in how authorities view cyberattacks. By linking the disruption of transport networks directly to public safety, prosecutors are increasingly framing such attacks not as mere corporate theft, but as a form of social destabilization. This legal evolution may lead to harsher sentencing guidelines for future cyber-criminals who target public services.
4. The Future of Scattered Spider
While the leadership of the group has been significantly thinned by recent arrests—including the 10-year prison sentence handed down to Noah Michael Urban in August 2025—the decentralized nature of Scattered Spider suggests that the threat is not entirely eliminated. The group’s reliance on loose networks of young, tech-proficient individuals means that as long as the financial incentives remain, new, younger actors may attempt to fill the void.
As the London court prepares to hand down its verdict this July, the tech industry, law enforcement, and the public are left with a clear takeaway: the era of the "faceless" hacker is coming to an end. Through international cooperation and persistent forensic investigation, the digital shadows in which these groups hide are rapidly illuminating, one indictment at a time.
