The Fall of "Scattered Spider": Inside the Digital Siege of Transport for London

In a landmark development for international cybersecurity enforcement, two young British men have pleaded guilty in a London courtroom to charges stemming from a devastating August 2024 cyberattack that paralyzed Transport for London (TfL), the backbone of the United Kingdom’s capital city transit network. The guilty pleas, entered on the first day of what was slated to be a high-stakes six-week trial, mark a significant victory in the ongoing global effort to dismantle "Scattered Spider," a prolific and elusive cybercrime syndicate that has wreaked havoc on both sides of the Atlantic.
Thalha Jubair, 20, of East London, and 18-year-old Owen Flowers of Walsall, admitted to a litany of charges, including conspiring to commit unauthorized acts against TfL’s computer systems and causing a risk of serious damage to human welfare. The TfL incident, which caused widespread disruption to the millions of daily commuters in Greater London, served as a catalyst that accelerated the legal pursuit of the duo by both the UK’s National Crime Agency (NCA) and U.S. federal authorities.
The Anatomy of the Charges
The criminal careers of Jubair and Flowers, while brief in duration, were prolific in scope. According to the court records, Flowers admitted to an additional conspiracy charge involving the infiltration of U.S.-based healthcare giants SSM Health Care Corporation and Sutter Health in September 2024. These intrusions underscore the group’s willingness to target critical infrastructure and healthcare entities, where the impact of downtime carries life-or-death consequences.
Thalha Jubair’s legal troubles extend well beyond British shores. In September 2025, the U.S. Department of Justice unsealed a sweeping indictment in New Jersey, alleging that Jubair and other Scattered Spider associates orchestrated a massive campaign of computer fraud, wire fraud, and money laundering. The scope of these allegations is staggering: between May 2022 and September 2025, the group reportedly targeted 47 U.S. entities, successfully extorting at least $115 million in ransom payments.
Chronology of a Digital Crime Wave
To understand the rise of Scattered Spider, one must trace the evolution of their tactics—from early social engineering to full-scale corporate extortion.
- Summer 2022: The group launched a sophisticated, large-scale SMS phishing campaign (often referred to as "smishing"). By targeting employees at hundreds of companies, they harvested single sign-on credentials. This campaign resulted in data breaches at high-profile firms including LastPass, DoorDash, Mailchimp, Plex, and Signal.
- September 2023: Scattered Spider gained international infamy for a ransomware attack on MGM Resorts and Caesars Entertainment in Las Vegas. The resulting chaos, which saw hotel systems and casino floors shuttered, was followed by media interviews—now attributed to Flowers—that displayed an brazen level of arrogance typical of the group.
- August 2024: The attack on Transport for London signaled a new phase of aggression against public utilities.
- September 2024: Flowers targeted U.S. healthcare providers, further complicating his legal standing in both jurisdictions.
- July 2025: UK authorities arrested Flowers and Jubair, linking them to earlier ransomware attacks on British retailers, including Marks & Spencer, Harrods, and the Co-op Group.
- April 2026: Tyler "Tylerb" Buchanan, a 24-year-old British national, pleaded guilty to wire fraud and identity theft in the U.S., shedding further light on the group’s inner workings.
- July 2026: The scheduled sentencing of Flowers and Jubair in London serves as the latest milestone in the prosecution of this syndicate.
The Mechanics of Extortion: SIM-Swapping and Star Chat
At the heart of the group’s operations was a Telegram channel known as "Star Chat." Co-run by Jubair, this hub facilitated a cottage industry of cybercrime. The primary service provided was "SIM-swapping," a technique where attackers use voice- and SMS-based phishing to gain control over a victim’s phone number. By intercepting these lines, the group bypassed multi-factor authentication (MFA) codes, effectively turning a target’s mobile device into a key to their corporate network.
Evidence presented by investigators includes receipts from "Star Fraud Chat" showing the successful hijacking of a T-Mobile customer’s account. Investigators believe Jubair used the handle "Rocket Ace" to coordinate these efforts, leveraging internal employee tools stolen from wireless providers.

Perhaps most disturbing is the revelation regarding Jubair’s early start in the criminal underworld. As a 15-year-old using the alias "Everlynn," he reportedly sold fraudulent "emergency data requests." By impersonating law enforcement through compromised government email addresses, he coerced major tech companies into handing over private user data, claiming the requests were matters of life and death.
Supporting Data: The Global Crackdown
The dismantling of Scattered Spider is a collaborative effort between the FBI, the UK’s National Crime Agency, and international partners. The legal landscape for the group is increasingly precarious:
- Noah Michael Urban: In August 2025, the 20-year-old Florida native was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution.
- Tyler Buchanan: Currently awaiting sentencing in October 2026, Buchanan was a key player in the 2022 SMS phishing spree that resulted in the theft of at least $8 million in cryptocurrency.
- The Fugitives: The U.S. Department of Justice continues to pursue other members, including Ahmed Hossam Eldin Elbadawy ("AD"), Evans Onyeaka Osiebo, and Joel Martin Evans ("joeleoli"). These individuals remain at the center of the DOJ’s efforts to fully dismantle the Scattered Spider infrastructure.
Implications for Corporate and Public Security
The case of Scattered Spider serves as a harsh lesson in the vulnerability of modern digital architecture. The group did not rely solely on complex zero-day exploits; they leveraged the weakest link in any security chain: the human element. Through persistent social engineering, SMS phishing, and SIM-swapping, they proved that even the most well-funded organizations—from London’s transport network to global casino conglomerates—are susceptible to disruption.
For Transport for London, the attack resulted in significant financial losses and an erosion of public trust. The incident has prompted a widespread review of cybersecurity protocols across the UK’s public sector, with officials emphasizing the need for robust identity verification and a move away from reliance on SMS-based MFA.
Furthermore, the involvement of minors and young adults in these high-level attacks highlights a shifting demographic in cybercrime. As the "Scattered Spider" members face years, or even decades, behind bars, the digital security community must grapple with a generation of hackers who have matured in a world where tools for mass exploitation are available at the click of a button on platforms like Telegram.
Looking Ahead
As July 15, 2026, approaches—the date Flowers and Jubair are scheduled to be sentenced in London—the international law enforcement community is shifting its focus from reaction to prevention. The success of the NCA and the DOJ in securing these pleas sends a clear message: the borders of the internet are no longer a sanctuary for those who facilitate cyber-terror.
While the "Scattered Spider" name may eventually fade from the headlines as its key members are neutralized, the methods they pioneered remain a blueprint for future threats. The legacy of this group will be a more resilient, albeit more cautious, digital infrastructure, characterized by stricter authentication standards and a heightened awareness of the sophisticated, human-centric tactics that once brought London to a standstill.
