Teen arrested in UK was a core figure in Scattered Spider’s operations
The 19-year-old U.K. national who was arrested at his London residence last week was a highly prolific cybercriminal and a core member of the nebulous hacker subset of The Com, researchers told CyberScoop.
Authorities’ yearslong quest to uncover the identities of Scattered Spider associates and charge them with serious crimes reached a tipping point with last week’s arrest of Thalha Jubair, who is accused of direct, prominent involvement in at least 120 cyberattacks, including extortion of 47 U.S.-based organizations and the January attack on the U.S. federal court system.
Authorities said they traced a combined total of at least $89.5 million in cryptocurrency, at the time of payments, to Bitcoin addresses and servers controlled by Jubair. Two financial services firms paid Jubair $25 million and $36.2 million, respectively, in Bitcoin between June and November 2023, according to an unsealed criminal complaint against Jubair.
The high number of attacks and ransom payments officials linked to Jubair highlights the central role he played in attacks more broadly attributed to Scattered Spider. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said Jubair was one of the principal operators behind the loose-knit cybercrime network.
“He was one of the four principal people that we associated with Scattered Spider,” and one of the two most core players, Meyers told CyberScoop.
Other cybercrime experts shared similar assessments of Jubair’s involvement and importance to Scattered Spider’s sweeping extortion scheme. While The Com, of which Scattered Spider is an offshoot, doesn’t operate with formal leaders in the traditional sense, Jubair acted as a leader, said Jon DiMaggio, chief security strategist at Analyst1.
“There are many other pockets of activity within the broader collective, and I would consider Jubair a leader within several of the clusters he supported and influenced,” DiMaggio said.
Flashpoint analysts described Jubair as a large player within these communities who participated in attacks against multiple sectors for years. “Their growth and evolution appear consistent with the growth and scale of attacks ascribed to Scattered Spider,” analysts at the threat intelligence company said in an email.
Federal authorities attribute Scattered Spider to attacks on organizations in many sectors, including manufacturing, entertainment, retail, aviation, insurance, finance, business process and customer service outsourcing, construction, hospitality, technology, telecommunications and multiple forms of critical infrastructure. Victims of those attacks paid at least $115 million in ransom payments, authorities said.
“They were cleaning up, and this is just the amount the FBI knows about,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in a post on LinkedIn.
Researchers knew the identity of Jubair, who went by many aliases online including “EarthtoStar,” “Brad,” “Austin,” “Everylynn” and “@autistic,” for more than a year. He was on their radar, and even more so after law enforcement seized cryptocurrency worth about $36 million at the time on wallets stored on a server allegedly controlled by Jubair in July 2024.
“It did take several years and they had quite a run when everybody was paying attention to them,” Meyers said. Officials “knew who he was a year ago. I think what it highlights is that they needed a way to be able to make a case, which is where law enforcement, frankly, ends up at a bit of a disadvantage.”
Investigators bolstered their case against Jubair through blockchain analysis. Officials said they traced cryptocurrency transactions from a wallet on a server Jubair controlled to gift card purchases that were used for a food delivery service to his apartment complex and a gaming account.
“His arrest underscores the difficulties in remaining anonymous online,” Flashpoint analysts said.
While Jubair was “extremely careful,” using an amnesiatic operating system — which is designed to forget everything a user does after it’s shut down — and virtual private networks, according to Meyers, his personal activity led investigators to his doorstep.
Jubair faces charges in the United Kingdom and United States. U.K. authorities last week charged him for crimes related to the cyberattack on the Transport for London in September 2024. He was also charged in the U.S. District Court for the District of New Jersey with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy.
The Justice Department hasn’t said if efforts are underway to extradite Jubair to the United States, where he faces up to 95 years in prison if convicted.
While veteran threat hunters hail Jubair’s arrest, they remain exasperated by the persistent challenges and delays that were highlighted by a case involving a known and allegedly highly prolific cybercriminal.
“It took a long time. There’s still a lot of frustration in how long it took, and how much information we had on these guys and the way that the investigation went down,” Meyers said.
Nonetheless, Jubair’s “arrest is a big deal, maybe one of the biggest in this circle,” DiMaggio said.
“Given Jubair’s alleged involvement across many operations and aliases, removing him likely hurts how things are done in multiple criminal clusters. It might force others to change how they operate or slow some attacks,” he added.
“But because the group is spread out and loosely organized, I don’t think this one arrest stops things entirely,” DiMaggio said. Jubair’s arrest is “very impactful, and among the most important arrests in The Com so far, but we shouldn’t assume it’s a knockout blow.”
