Introduction: A Landmark Moment in Cybercrime Prosecution
In a significant development for international cybersecurity, two core members of the notorious cybercrime syndicate "Scattered Spider" have pleaded guilty to a sweeping array of criminal charges in the United Kingdom. Thalha Jubair, 20, and Owen Flowers, 18, admitted to their roles in a sophisticated criminal enterprise that crippled critical infrastructure, targeted major global retailers, and orchestrated high-stakes phishing campaigns that netted millions of dollars.
Their guilty pleas, entered on the first day of what was slated to be a rigorous six-week trial, mark a turning point in the global effort to dismantle one of the most prolific and disruptive hacking groups in recent history. The duo, whose digital fingerprints were found on everything from the paralysis of London’s public transport network to the systematic theft of cryptocurrency across the United States, are now awaiting sentencing, signaling an end to their reign as high-profile cyber-extortionists.
Main Facts: The Scope of the Charges
The charges against Jubair and Flowers highlight the diverse and destructive nature of Scattered Spider’s operations.
The Transport for London (TfL) Attack
In August 2024, the public transport network of Greater London—a critical artery for the city—was brought to its knees by a massive cyberattack. The incident caused widespread disruption for millions of commuters, highlighting the vulnerability of modern urban infrastructure. Both Jubair and Flowers entered guilty pleas for conspiring to perform unauthorized acts against the TfL computer systems, with prosecutors successfully arguing that their actions created a substantial risk of serious damage to human welfare.
Beyond the UK: A Transatlantic Crime Spree
The criminal activity of these two individuals was not confined to British borders. Court documents reveal that Flowers played an active role in a conspiracy to infiltrate U.S.-based healthcare providers, specifically SSM Health Care Corporation and Sutter Health, in September 2024.
Jubair, meanwhile, faces separate, severe indictments in the United States. A New Jersey federal court unsealed an indictment in September 2025 alleging that he, alongside other Scattered Spider cohorts, participated in 120 separate network intrusions across 47 U.S. entities between May 2022 and September 2025. The scale of the financial damage is staggering: authorities estimate the group successfully extorted at least $115 million in ransom payments from their victims.
Chronology of a Digital Rampage
The rapid ascent and subsequent prosecution of these individuals can be traced through several key milestones:
- Summer 2022: The group launches a massive, systematic SMS phishing campaign targeting hundreds of organizations. This campaign, which exploited employee credentials, led to data breaches at companies including LastPass, DoorDash, Mailchimp, Plex, and Signal.
- September 2023: Scattered Spider executes a high-profile ransomware attack on MGM Resorts and Caesars Entertainment, causing chaos in Las Vegas. Evidence suggests Flowers served as the group’s media spokesperson, giving interviews to the press following the breach.
- August 2024: The attack on Transport for London (TfL) occurs, bringing public transit to a standstill.
- July 2025: UK authorities arrest Flowers and Jubair. Investigations link them to previous attacks on retail giants Marks & Spencer, Harrods, and the Co-op Group.
- September 2025: U.S. prosecutors unseal an indictment against Jubair, detailing years of fraud and money laundering.
- April 2026: Fellow Scattered Spider member Tyler “Tylerb” Buchanan pleads guilty in U.S. courts to wire fraud and identity theft.
- June 2026: Flowers and Jubair enter their guilty pleas in the UK, setting the stage for their sentencing in July.
Supporting Data: Modus Operandi and The "Star Chat" Network
The investigation into Jubair and Flowers has provided unprecedented insight into how Scattered Spider operated. A central piece of the puzzle was "Star Chat," a Telegram-based hub co-run by Jubair.
SIM-Swapping and Phishing
Star Chat served as a clearinghouse for SIM-swapping—a technique where attackers hijack a victim’s phone number by convincing a telecommunications provider to transfer the service to a device they control. By intercepting SMS-based multi-factor authentication (MFA) codes, the group gained unauthorized access to secure corporate networks.

The group’s efficiency was bolstered by sophisticated phishing techniques. Jubair’s past activities, including his early work under the hacker handle “Everlynn,” reveal a pattern of exploiting institutional trust. At just 15 years old, he was reportedly selling fraudulent “emergency data requests” (EDRs), using compromised law enforcement email accounts to trick tech companies into handing over private user data. This early exposure to the mechanics of social engineering provided the foundation for his later, more destructive exploits.
Official Responses and Global Cooperation
The prosecution of Scattered Spider is a testament to the success of international intelligence sharing. Agencies such as the UK’s National Crime Agency (NCA) and the U.S. Department of Justice (DOJ) have worked in tandem to trace the digital breadcrumbs left by the hackers.
The Legal Fallout
The U.S. government remains aggressive in its pursuit of the remaining syndicate members. Tyler Buchanan, who pleaded guilty earlier this year, is awaiting sentencing, while other key figures—including Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans—remain under active indictment. The sentence handed down to Noah Michael Urban in August 2025—10 years in federal prison and $13 million in restitution—serves as a clear warning to those involved in the Scattered Spider enterprise that the long arm of the law is catching up with them.
Implications: The Future of Infrastructure Security
The guilty pleas of Jubair and Flowers serve as a grim reminder of the fragility of the digital age. The shift from targeting purely financial institutions to attacking public infrastructure like transport networks signals a dangerous evolution in cyber-warfare.
Protecting the Public Interest
The "risk to human welfare" argument used in the TfL case is a significant shift in legal strategy. By elevating cyberattacks from simple property crimes to threats against public safety, prosecutors are setting a precedent that will likely lead to harsher sentencing for future defendants.
Cybersecurity Resilience
For organizations, the lesson of Scattered Spider is clear: identity is the new perimeter. The group’s ability to bypass MFA through SIM-swapping and SMS phishing underscores the need for hardware-based security keys and more robust identity verification protocols. The era of relying solely on SMS-based authentication is effectively over for companies that wish to avoid becoming the next headline.
A Closing Chapter
As July 15, 2026, approaches—the scheduled date for the sentencing of Flowers and Jubair in London—the global cybersecurity community will be watching closely. While the removal of these two key figures is a major victory, it is not the end. Scattered Spider, like many decentralized hacking collectives, has proved resilient. However, the successful prosecution of its core members demonstrates that even the most "prolific" digital syndicates are not beyond the reach of international justice.
The collapse of this specific cell provides a blueprint for future investigations, proving that when the private sector, national law enforcement, and international courts cooperate, the anonymity afforded by the dark web can be stripped away, holding individuals accountable for the chaos they sow in the physical world.

