The Fall of a Cyber Syndicate: Inside the Scattered Spider Prosecution

In a landmark moment for international cybersecurity enforcement, two young British men appeared before a London court this week to enter guilty pleas for their roles in a series of high-stakes cyberattacks. The defendants, 20-year-old Thalha Jubair of East London and 18-year-old Owen Flowers of Walsall, were key operatives within "Scattered Spider," a prolific and elusive cybercrime collective that has wreaked havoc on global infrastructure, major retailers, and the U.S. healthcare sector.
The guilty pleas, entered on the first day of what was slated to be a grueling six-week trial, mark a significant victory for the United Kingdom’s National Crime Agency (NCA) and their counterparts in the United States. The pair admitted to conspiring to commit unauthorized acts against the computer systems of Transport for London (TfL)—the backbone of the Greater London public transport network—in August 2024. Their actions not only caused widespread operational chaos but, according to the charges, created a substantial risk of serious damage to human welfare.
The Architect of Chaos: The Rise and Fall of Jubair and Flowers
The criminal careers of Jubair and Flowers, though brief, were remarkably destructive. Both men had long been on the radar of international law enforcement, having transitioned from youthful digital mischief to sophisticated, high-stakes cybercrime that netted tens of millions of dollars in illicit profits.
For Thalha Jubair, the legal web spans the Atlantic. In September 2025, U.S. prosecutors in New Jersey unsealed a sweeping indictment against him. The charges, which include computer fraud, wire fraud, and money laundering, detail a campaign of 120 network intrusions targeting 47 U.S. entities between May 2022 and September 2025. Investigations suggest that victims of the Scattered Spider group paid at least $115 million in ransom payments during this period.
Owen Flowers, meanwhile, has been identified by multiple sources as a primary public face of the group. Reports indicate that Flowers was the anonymous voice behind several media interviews granted in the immediate aftermath of the devastating September 2023 ransomware attacks on MGM Resorts and Caesars Entertainment in Las Vegas. These attacks, which brought the operations of some of the world’s largest casino conglomerates to a standstill, were the hallmark of Scattered Spider’s aggressive tactics.
A Chronology of Digital Predation
The operational history of Scattered Spider is a masterclass in modern, multi-vector cybercrime. Their methodology shifted from simple social engineering to complex, multi-stage network compromises.
The 2022 SMS Phishing Wave
The group’s footprint grew significantly during the summer of 2022, when they launched a massive SMS phishing campaign. By impersonating corporate IT departments, they harvested single sign-on credentials from employees at hundreds of companies. This campaign resulted in successful data thefts at organizations including LastPass, DoorDash, Mailchimp, Plex, and Signal.
The Rise of "Star Chat" and SIM Swapping
Jubair was a central figure in the "Star Chat" Telegram channel, a hub for a specialized SIM-swapping ring. By leveraging voice- and SMS-based phishing against employees at major telecommunications providers in the U.S. and U.K., the group gained the ability to redirect victim phone numbers to attacker-controlled devices. This allowed them to intercept two-factor authentication codes, effectively bypassing the security measures meant to protect high-value corporate accounts.

The "Everlynn" Era: Emergency Data Requests
Before his full immersion into ransomware, investigators identified a young Jubair using the handle "Everlynn." At the age of 15, he was already orchestrating fraudulent "emergency data requests." By compromising law enforcement and government email accounts, he successfully tricked major tech companies into releasing private user data—such as IP addresses and account details—by claiming the requests were matters of life and death, thereby circumventing the need for legal warrants.
The 2024 TfL Crippling
The August 2024 attack on Transport for London served as a catalyst for their eventual apprehension. By paralyzing the systems responsible for managing London’s buses, trains, and ticketing, the group drew the immediate and focused ire of British law enforcement, which prioritized the investigation into a full-scale multi-agency operation.
Supporting Data: The Global Scope of Scattered Spider
The scale of the damage caused by Scattered Spider is reflected in the growing number of prosecutions and the sheer volume of financial loss.
- Financial Impact: Prosecutors allege that through the 2022 phishing campaign alone, Jubair, Tyler Buchanan, and their co-conspirators siphoned at least $8 million in cryptocurrency from victims across the United States.
- Targeting Retail: In July 2025, investigations linked Flowers and Jubair to ransomware attacks against high-profile British retailers, including Harrods, Marks & Spencer, and the Co-op Group.
- The "Tylerb" Connection: In April 2026, 24-year-old Tyler "Tylerb" Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft. His sentencing, scheduled for October, serves as a precursor to the final adjudication of the wider group.
- The Florida Connection: The reach of the group extended deep into the United States. Noah Michael Urban, a 20-year-old from Florida, was sentenced to 10 years in federal prison in August 2025 and ordered to pay $13 million in restitution for his role as a key SIM-swapper for the collective.
Official Responses and International Cooperation
The sentencing of these individuals represents an unprecedented level of cooperation between the UK’s National Crime Agency and the U.S. Department of Justice (DOJ). The DOJ continues to pursue other members of the syndicate, with indictments currently active against several high-ranking members, including Ahmed Hossam Eldin Elbadawy (a.k.a. "AD"), Evans Onyeaka Osiebo, and Joel Martin Evans (a.k.a. "joeleoli").
"These prosecutions send a clear message," stated a spokesperson for the NCA. "Whether you operate from a bedroom in London or a basement in Texas, the international reach of law enforcement is closing the gap. The era of impunity for these digital extortionists is ending."
Implications for Global Cybersecurity
The conviction of Jubair and Flowers highlights several critical vulnerabilities in the modern corporate ecosystem:
- The Human Element: The group’s reliance on social engineering—phishing, SIM swapping, and impersonating police—proves that even the most advanced technical security is only as strong as the human at the terminal.
- The Multi-Stage Threat: Scattered Spider did not rely on one technique. They evolved from credential harvesting to ransomware deployment, proving that attackers are increasingly modular in their approach.
- The Regulatory Burden: The group’s ability to exploit "emergency data requests" has forced major tech companies to overhaul their legal compliance departments, as they must now balance the need for rapid response to real emergencies with the reality of sophisticated, impersonation-based fraud.
- A Shift in Prosecution: By targeting the core infrastructure of the group (such as the Telegram channels and the core leadership), law enforcement is proving that they can dismantle decentralized, loosely affiliated hacking collectives by focusing on the "nodes" that connect them.
As the London court prepares to sentence Flowers and Jubair on July 15, 2026, the cybersecurity community remains on high alert. While these convictions are a significant blow to the Scattered Spider infrastructure, the proliferation of the tactics used by these men—particularly the commodification of SIM-swapping and social engineering—suggests that the threat landscape will continue to evolve, requiring constant vigilance and international collaboration to keep pace with the next generation of cyber criminals.
