US and UK authorities have charged two suspected members of the infamous Scattered Spider cybercrime group with offenses connected to multiple high-profile cyber-attacks.
The pair have been linked to attacks on US courts, a US critical infrastructure firm and the UK’s Transport for London (TfL).
The two UK-based individuals, Thalha Jubair, 19, from East London, and Owen Flowers, 18 from Walsall, were arrested at their home addresses on Tuesday, September 16.
The District of New Jersey unsealed charges against Jubair on September 18, with conspiracies to commit computer fraud, wire fraud and money laundering.
According to the charges, Jubair, also known as “EarthtoStar,” “Brad,” “Austin,” and “@autistic,” conspired with others to use social engineering techniques to gain unauthorized access into the computer networks of victim companies.
Jubair is accused of participation in at least 120 computer network intrusions and extortion involving 47 US entities. It is believed that victims paid at least $115m in ransom payments to Jubair and his associates.
Portions of the ransom payments from at least five victims were sent to wallets on a server controlled by Jubair.
In July 2024, Jubair was observed transferring a portion of cryptocurrency that originated from one of the victims, worth approximately $8.4m at the time, to another wallet, while law enforcement was in the process of seizing the server.
Jubair and associates are accused of involvement in attacks from as early as May 2022 to as recently as September 2025.
FBI Special Agent in charge Stefanie Roddy, said: “The arrest of Thalha Jubair underscores an undeniable truth: no matter how elusive or destructive these cyber-criminal syndicates are, we will continue to pursue those who allegedly extort our businesses and ensure they are held accountable.”
Teenagers Charged with TfL Hack Involvement
The two teenagers have also been charged by UK authorities with offenses connected to the August 2024 cyber-attack on Transport for London (TfL).
They have been charged with conspiring to commit unauthorized acts against TfL under the Computer Misuse Act and appeared in Westminster Magistrates Court on September 18.
Flowers was initially arrested on suspicion of involvement in the TfL hack on September 6, 2024, while aged 17, at which point National Crime Agency (NCA) investigators identified further potential evidence of offences against US healthcare companies.
As a result, he was also charged on September 18, 2025 with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health’s networks, both based in the US.
Jubair has been additionally charged under the UK’s Regulation of Investigatory Powers Act (RIPA) for failing to disclose the pin or passwords for devices seized from him.
The TfL hack impacted sensitive personal data of around 5000 customers. This information included Oyster refund data, encompassing bank account numbers and sort codes.
It reportedly cost the transport operator around £30m ($40.6m), including £5m ($6.7m) on external support to recover from the incident.
New Blow to Scattered Spider
The charges against Flowers and Jubair follow the arrests of four other suspected members of Scattered Spider by UK authorities in July 2025.
The four individuals, three of whom were teenagers at the time of the arrest, are suspected of involvement in the April 2025 the attacks on Marks & Spencer, the Co-op and Harrods.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, described the charges against Jubair and Flowers as a “key step” in a “lengthy and complex investigation.”
“This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure,” he said, “Earlier this year, the NCA warned of an increase in the threat from cybercriminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example.”
Commenting on the charges, Jake Moore, global cybersecurity advisor at ESET and former UK police officer, highlighted the growing success of law enforcement in identifying and collecting evidence to prosecute cybercriminal actors.
However, he warned that there may still be significant challenges in this process.
“Collecting enough solid evidence to produce in court and prosecute is the most difficult aspect in any cybercrime investigation so it will be vital that these agencies work thoroughly towards locating outright proof of their involvement,” he noted.
“It is highly likely that these members of the gang will have reduced their evidence and communication trails down to a bare minimum, if at all, which will cause frustrations in the investigation,” Moore added.
Earlier in September, it was reported that Scattered Spider, along with 14 other ransomware groups, had announced their “retirement.” However, these announcements have been met with skepticism by security experts.
The arrests and charges against Jubair and Flowers followed a collaborative investigation between law enforcement agencies in the UK, the US, the Netherlands, Romania, Canada and Australia.
