Scattered Spider teen cuffed after buying games and meals with extortion bitcoin

September 19, 2025 TH Author

Thalha Jubair, one of the two UK teens arrested on Tuesday and accused of being members of the notorious Scattered Spider cybercrime gang, allegedly played a role in bilking more than 100 organizations out of at least $115 million in ransom payments. The cops nabbed him after following a number of clues, including paying for gift cards from a wallet on the same server that also held wallets receiving extortion payments.

Scattered Spider, a SIM-swapping turned social-engineering and ransomware group, has been around since at least 2022, and saw at least seven of its members arrested last year following the high-profile Las Vegas casino digital heists.

The group has been blamed for several high-profile retail intrusions in April, although 19-year-old Jubair of East London and 18-year-old Owen Flowers of Walsall appeared in a British court on Thursday for their alleged roles in a cyberattack on Transport for London last year.

On the other side of the Atlantic, acting US Attorney Alina Habba announced criminal charges against Jubair, saying he “went to great and sophisticated lengths to keep himself anonymous,” while taking part in about 120 network intrusions, including at least 47 US-based organizations.

Jubair also allegedly made some critical mistakes that pointed to his alleged ransomware criminal activities.

Perhaps the most incriminating: Somebody took cryptocurrency from a wallet on a server that also held ransom funds and bought gaming gift cards tied to an account in Jubair’s name, as well as food-delivery gift cards, which were then used to order takeout to the apartment complex where he lived.

In court documents [PDF] unsealed on Thursday, the US Justice Department charged Jubair with conspiracies to commit computer fraud, wire fraud, and money laundering related to at least 120 Scattered Spider computer network intrusions and extortion attacks between May 2022 and this month.

Victims include US courts

The criminal complaint only names one of Jubair’s victims: the United States federal court system. This digital intrusion occurred in early January, and followed a classic Scattered Spider playbook:

The digital thieves then used the stolen credentials to access accounts belonging to three users, one of whom is a federal magistrate judge, and searched the judge’s inbox for terms including “subpoena,” the name of a charged cybercriminal, and “scattered spider,” according to the complaint.

Additionally, the crooks allegedly used one of the compromised accounts to send a message to a financial services provider requesting the emergency disclosure of customer account information.

The other seven US-based victims aren’t named, but rather identified as Company-1 through Company-7. They include a manufacturer, an entertainment firm, two retailers, two financial services companies, and a critical infrastructure firm.

In all of these cases, after gaining access to the companies’ networks – usually via social engineering (often targeting helpdesks) and convincing them to reset another worker’s password – the crooks stole sensitive data, sometimes encrypted it, and then demanded a ransom payment for its return or decryption.

In five of these intrusions, the victim company paid ransom demands totaling at least $89.5 million in bitcoin at the time of payment. In a couple of the attacks detailed in the court documents, the organization paid the extortionists two separate sums of money. The two highest ransom payouts, paid by the two financial institutions, were the bitcoin equivalent of more than $25 million and $36.2 million.

Portions of ransom payments from at least five victims were traced to wallets on a server the FBI says Jubair controlled, and agents later seized about $36 million in cryptocurrency from wallet(s) on that server.

Incriminating messages, files, wallets

In July 2024, during the seizure operation, Jubair allegedly moved about $8.4 million in cryptocurrency from a wallet on that server to another wallet.

Several documents recovered from the server plus online chats also indicate Jubair was involved in these digital break-ins.

In October 2023, he used a Telegram account with the identifier “Brad” and the handle @autistic to discuss cyber intrusions at about 40 companies with another co-conspirator, at one point telling them that Victim Company-4 indicated they would pay $25 million. “they’re getting the btc now,” Jubair allegedly messaged his fellow crim.

“Later that day…Victim Company-4 paid a ransom worth approximately $25 million. Shortly after that payment, JUBAIR explained that he would pay the Co-Conspirator a portion of the payments JUBAIR received from Victim Companies-3 and -4,” the court documents say.

Additionally, a Blockchain analysis revealed that cryptocurrency contained in a wallet discovered the seized server was used to purchase two gift cards for a food delivery company:

One of these wallets was also used to purchase five gift cards for a gaming company, and investigators found that activity linked back to a gaming account accessed using credentials registered to Jubair at his residence.

In addition, conversations recovered from the seized server show that on April 7, 2024, someone using the moniker “Austin” – another one of Jubair’s online aliases, according to the DOJ – told another individual that he “turned 18 three weeks ago.” “The investigation has revealed that JUBAIR’s 18th birthday was approximately three weeks before this conversation,” according to the court documents.”

Infosec analysts cheered the Thursday arrests, with CrowdStrike’s Head of Counter Adversary Operations Adam Meyers calling them “a significant blow to one of the most disruptive eCrime groups operating today.

“This coordinated law enforcement action will likely degrade Scattered Spider’s operations in the near term,” Meyers told The Register. “More importantly, it sends a message: cybercriminals who aggressively extort and disrupt are not beyond reach. But this isn’t just about arrests — it demonstrates the impact of strong public-private collaboration — when law enforcement and industry share intelligence and act decisively, we can disrupt operations that are inflicting real damage on global businesses.”

Jubair isn’t the first cybercrook to make dumb mistakes that will likely cost him his freedom. Even criminals need to eat. And play online games.®