U.S. prosecutors final week levied felony hacking fees in opposition to 19-year-old U.Okay. nationwide Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting not less than $115 million in ransom funds from victims. The costs got here as Jubair and an alleged co-conspirator appeared in a London courtroom to face accusations of hacking into and extorting a number of massive U.Okay. retailers, the London transit system, and healthcare suppliers in the USA.
At a courtroom listening to final week, U.Okay. prosecutors laid out a litany of fees in opposition to Jubair and 18-year-old Owen Flowers, accusing the teenagers of involvement in an August 2024 cyberattack that crippled Transport for London, the entity accountable for the general public transport community within the Larger London space.
A courtroom artist sketch of Owen Flowers (left) and Thalha Jubair showing at Westminster Magistrates’ Court docket final week. Credit score: Elizabeth Cook dinner, PA Wire.
On July 10, 2025, KrebsOnSecurity reported that Flowers and Jubair had been arrested in the UK in reference to current Scattered Spider ransom assaults in opposition to the retailers Marks & Spencer and Harrods, and the British meals retailer Co-op Group.
That story cited sources near the investigation saying Flowers was the Scattered Spider member who anonymously gave interviews to the media within the days after the group’s September 2023 ransomware assaults disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Leisure.
The story additionally famous that Jubair’s alleged handles on cybercrime-focused Telegram channels had far lengthier rap sheets involving a few of the extra consequential and headline-grabbing information breaches over the previous 4 years. What follows is an account of cybercrime actions that prosecutors have attributed to Jubair’s alleged hacker handles, as informed by these accounts in posts to public Telegram channels which can be intently monitored by a number of cyber intelligence companies.
EARLY DAYS (2021-2022)
Jubair is alleged to have been a core member of the LAPSUS$ cybercrime group that broke into dozens of know-how corporations starting in late 2021, stealing supply code and different inside information from tech giants together with Microsoft, Nvidia, Okta, Rockstar Video games, Samsung, T-Cellular, and Uber.
That’s, in line with the previous chief of the now-defunct LAPSUS$. In April 2022, KrebsOnSecurity revealed inside chat data taken from a server that LAPSUS$ used, and people chats point out Jubair was working with the group utilizing the nicknames Amtrak and Asyntax. In the midst of the gang’s cybercrime spree, Asyntax informed the LAPSUS$ chief to not share T-Cellular’s emblem in photographs despatched to the group as a result of he’d been beforehand busted for SIM-swapping and his dad and mom would suspect he was again at it once more.
The chief of LAPSUS$ responded by gleefully posting Asyntax’s actual identify, cellphone quantity, and different hacker handles right into a public chat room on Telegram:
In March 2022, the chief of the LAPSUS$ information extortion group uncovered Thalha Jubair’s identify and hacker handles in a public chat room on Telegram.
That story concerning the leaked LAPSUS$ chats additionally linked Amtrak/Asyntax to a number of earlier hacker identities, together with “Everlynn,” who in April 2021 started providing a cybercriminal service that offered fraudulent “emergency information requests” focusing on the foremost social media and e mail suppliers.
In these so-called “pretend EDR” schemes, the hackers compromise e mail accounts tied to police departments and authorities companies, after which ship unauthorized calls for for subscriber information (e.g. username, IP/e mail handle), whereas claiming the data being requested can’t watch for a courtroom order as a result of it pertains to an pressing matter of life and dying.
The roster of the now-defunct “Infinity Recursion” hacking group, which offered pretend EDRs between 2021 and 2022. The founder “Everlynn” has been tied to Jubair. The member listed as “Peter” turned the chief of LAPSUS$ who would later put up Jubair’s identify, cellphone quantity and hacker handles into LAPSUS$’s chat channel.
EARTHTOSTAR
Prosecutors in New Jersey final week alleged Jubair was a part of a risk group variously often known as Scattered Spider, 0ktapus, and UNC3944, and that he used the nicknames EarthtoStar, Brad, Austin, and Austistic.
Starting in 2022, EarthtoStar co-ran a bustling Telegram channel referred to as Star Chat, which was house to a prolific SIM-swapping group that relentlessly used voice- and SMS-based phishing assaults to steal credentials from staff on the main wi-fi suppliers within the U.S. and U.Okay.
Jubair allegedly used the deal with “Earth2Star,” a core member of a prolific SIM-swapping group working in 2022. This advert produced by the group lists varied costs for SIM swaps.
The group would then use that entry to promote a SIM-swapping service that might redirect a goal’s cellphone quantity to a tool the attackers managed, permitting them to intercept the sufferer’s cellphone calls and textual content messages (together with one-time codes). Members of Star Chat focused a number of wi-fi carriers with SIM-swapping assaults, however they centered primarily on phishing T-Cellular staff.
In February 2023, KrebsOnSecurity scrutinized greater than seven months of those SIM-swapping solicitations on Star Chat, which nearly each day peppered the general public channel with “Tmo up!” and “Tmo down!” notices indicating intervals whereby the group claimed to have energetic entry to T-Cellular’s community.
A redacted receipt from Star Chat’s SIM-swapping service focusing on a T-Cellular buyer after the group gained entry to inside T-Cellular worker instruments.
The info confirmed that Star Chat — together with two different SIM-swapping teams working on the similar time — collectively broke into T-Cellular over 100 occasions within the final seven months of 2022. Nonetheless, Star Chat was by far probably the most prolific of the three, accountable for not less than 70 of these incidents.
The 104 days within the latter half of 2022 during which totally different recognized SIM-swapping teams claimed entry to T-Cellular worker instruments. Star Chat was accountable for a majority of those incidents. Picture: krebsonsecurity.com.
A overview of EarthtoStar’s messages on Star Chat as listed by the risk intelligence agency Flashpoint reveals this individual additionally offered “AT&T e mail resets” and AT&T name forwarding companies for as much as $1,200 per line. EarthtoStar defined the aim of this service in put up on Telegram:
“Okay individuals are confused, so you already know when u login to chase and it says ‘2fa required’ or regardless of the fuck, properly it provides you two choices, SMS or Name. If you happen to press name, and I ahead the road to you then who do you suppose will get stated name?”
New Jersey prosecutors allege Jubair additionally was concerned in a mass SMS phishing marketing campaign in the course of the summer season of 2022 that stole single sign-on credentials from staff at a whole bunch of corporations. The textual content messages requested customers to click on a hyperlink and log in at a phishing web page that mimicked their employer’s Okta authentication web page, saying recipients wanted to overview pending modifications to their upcoming work schedules.
The phishing web sites used a Telegram on the spot message bot to ahead any submitted credentials in real-time, permitting the attackers to make use of the phished username, password and one-time code to log in as that worker at the actual employer web site.
That weeks-long SMS phishing marketing campaign led to intrusions and information thefts at greater than 130 organizations, together with LastPass, DoorDash, Mailchimp, Plex and Sign.
A visible depiction of the assaults by the SMS phishing group often known as 0ktapus, ScatterSwine, and Scattered Spider. Picture: Amitai Cohen twitter.com/amitaico.
DA, COMRADE
EarthtoStar’s group Star Chat specialised in phishing their means into enterprise course of outsourcing (BPO) corporations that present buyer help for a variety of multinational corporations, together with a variety of the world’s largest telecommunications suppliers. In Could 2022, EarthtoStar posted to the Telegram channel “Frauwudchat”:
“Hello, I’m in search of companions with the intention to exfiltrate information from massive telecommunications corporations/name facilities/alike, I’ve main expertise on this discipline, [including] a large name heart which homes 200,000+ staff the place I’ve dumped all person credentials and gained entry to the [domain controller] + obtained world administrator I even have expertise with REST API’s and programming. I’ve in depth expertise with VPN, Citrix, cisco anyconnect, social engineering + privilege escalation. When you’ve got any Citrix/Cisco VPN or another helpful issues please message me and lets work.”
At across the similar time within the Summer season of 2022, not less than two totally different accounts tied to Star Chat — “RocketAce” and “Lopiu” — launched the group’s companies to denizens of the Russian-language cybercrime discussion board Exploit, together with:
-SIM-swapping companies focusing on Verizon and T-Cellular prospects;
-Dynamic phishing pages focusing on prospects of single sign-on suppliers like Okta;
-Malware improvement companies;
-The sale of prolonged validation (EV) code signing certificates.
The person “Lopiu” on the Russian cybercrime discussion board Exploit marketed lots of the similar distinctive companies provided by EarthtoStar and different Star Chat members. Picture supply: ke-la.com.
These two accounts on Exploit created a number of gross sales threads during which they claimed administrative entry to U.S. telecommunications suppliers and requested different Exploit members for assist in monetizing that entry. In June 2022, RocketAce, which seems to have been simply considered one of EarthtoStar’s many aliases, posted to Exploit:
Hey. I’ve entry to a telecommunications firm’s citrix and vpn. I would really like somebody to assist me escape of the system and doubtlessly assault the area controller so all logins may be extracted we will talk about cost and issues depart your telegram within the feedback or personal message me ! Searching for somebody with information in citrix/privilege escalation
On Nov. 15, 2022, EarthtoStar posted to their Star Sanctuary Telegram channel that they have been hiring malware builders with a minimal of three years of expertise and the flexibility to develop rootkits, backdoors and malware loaders.
“Non-obligatory: Endorsed by superior APT Teams (e.g. Conti, Ryuk),” the advert concluded, referencing two of Russia’s most rapacious and damaging ransomware affiliate operations. “A part of a nation-state / ex-3l (3 letter-agency).”
2023-PRESENT DAY
The Telegram and Discord chat channels whereby Flowers and Jubair allegedly deliberate and executed their extortion assaults are a part of a loose-knit community often known as the Com, an English-speaking cybercrime neighborhood consisting largely of people residing in the USA, the UK, Canada and Australia.
Many of those Com chat servers have a whole bunch to 1000’s of members every, and a few of the extra attention-grabbing solicitations on these communities are job presents for in-person assignments and duties that may be discovered if one searches for posts titled, “If you happen to reside close to,” or “IRL job” — quick for “in actual life” job.
These “violence-as-a-service” solicitations usually contain “brickings,” the place somebody is employed to toss a brick by means of the window at a specified handle. Different IRL jobs for rent embody tire-stabbings, molotov cocktail hurlings, drive-by shootings, and even house invasions. The individuals focused by these companies are usually different criminals inside the neighborhood, however it’s commonplace to see Com members asking others for assist in harassing or intimidating safety researchers and even the very legislation enforcement officers who’re investigating their alleged crimes.
It stays unclear what precipitated this incident or what adopted instantly after, however on January 13, 2023, a Star Sanctuary account utilized by EarthtoStar solicited the house invasion of a sitting U.S. federal prosecutor from New York. That put up included a photograph of the prosecutor taken from the Justice Division’s web site, together with the message:
“Want irl niggas, in house hostage shit no fucking pussies no skinny glock holding 100 pound niggas both”
All through late 2022 and early 2023, EarthtoStar’s alias “Brad” (a.ok.a. “Brad_banned”) often marketed Star Chat’s malware improvement companies, together with customized malicious software program designed to cover the attacker’s presence on a sufferer machine:
We are able to develop KERNEL malware which is able to obtain persistence for a very long time,
bypass firewalls and have reverse shell entry.This shit is actually like STAGE 4 CANCER FOR COMPUTERS!!!
Kernel which means the best stage of authority on a machine.
This may vary to easy shells to Bootkits.Bypass all main EDR’s (SentinelOne, CrowdStrike, and many others)
Patch EDR’s scanning performance so it’s rendered ineffective!As soon as implanted, extraordinarily troublesome to take away (mainly unimaginable to even discover)
Improvement Expertise of a number of years and in a number of APT Teams.Be one step forward of the sport. Costs begin from $5,000+. Message @brad_banned to get a quote
In September 2023 , each MGM Resorts and Caesars Leisure suffered ransomware assaults by the hands of a Russian ransomware associates program often known as ALPHV and BlackCat. Caesars reportedly paid a $15 million ransom in that incident.
Inside hours of MGM publicly acknowledging the 2023 breach, members of Scattered Spider have been claiming credit score and telling reporters they’d damaged in by social engineering a third-party IT vendor. At a listening to in London final week, U.Okay. prosecutors informed the courtroom Jubair was present in possession of greater than $50 million in ill-gotten cryptocurrency, together with funds that have been linked to the Las Vegas on line casino hacks.
The Star Chat channel was lastly banned by Telegram on March 9, 2025. However U.S. prosecutors say Jubair and fellow Scattered Spider members continued their hacking, phishing and extortion actions up till September 2025.
In April 2025, the Com was buzzing concerning the publication of “The Com Forged,” a prolonged screed detailing Jubair’s alleged cybercriminal actions and nicknames through the years. This account included images and voice recordings allegedly of Jubair, and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku (these are each aliases utilized by Everlynn in reference to their pretend EDR companies).
Thalha Jubair (proper), with out his large-rimmed glasses, in an undated picture posted in The Com Forged.
Extra lately, the nameless Com Forged creator(s) claimed, Jubair had used the nickname “Operator,” which corresponds to a Com member who ran an automatic Telegram-based doxing service that pulled client data from hacked information dealer accounts. That public outing got here after Operator allegedly seized management over the Doxbin, a long-running and extremely poisonous neighborhood that’s used to “dox” or put up deeply private info on individuals.
“Operator/Clark/Miku: A key member of the ransomware group Scattered Spider, which consists of a various combine of people concerned in SIM swapping and phishing,” the Com Forged account acknowledged. “The group is an amalgamation of a number of key organizations, together with Infinity Recursion (owned by Operator), True Alcorians (owned by earth2star), and Lapsus, which have come collectively to type a single collective.”
The New Jersey grievance (PDF) alleges Jubair and different Scattered Spider members dedicated laptop fraud, wire fraud, and cash laundering in relation to not less than 120 laptop community intrusions involving 47 U.S. entities between Could 2022 and September 2025. The grievance alleges the group’s victims paid not less than $115 million in ransom funds.
U.S. authorities say they traced a few of these funds to Scattered Spider to an Web server managed by Jubair. The grievance states {that a} cryptocurrency pockets found on that server was used to buy a number of present playing cards, considered one of which was used at a meals supply firm to ship meals to his condo. One other present card bought with cryptocurrency from the identical server was allegedly used to fund on-line gaming accounts underneath Jubair’s identify. U.S. prosecutors stated that after they seized that server in addition they seized $36 million in cryptocurrency.
The grievance additionally fees Jubair with involvement in a hacking incident in January 2025 in opposition to the U.S. courts system that focused a U.S. Justice of the Peace decide overseeing a associated Scattered Spider investigation. That different investigation seems to have been the prosecution of Noah Michael City, a 20-year-old Florida man charged in November 2024 by prosecutors in Los Angeles as considered one of 5 alleged Scattered Spider members.
City pleaded responsible in April 2025 to wire fraud and conspiracy fees, and in August he was sentenced to 10 years in federal jail. Talking with KrebsOnSecurity from jail after his sentencing, City asserted that the decide case gave him extra time than prosecutors requested as a result of he was mad that Scattered Spider hacked his e mail account.
Noah “Kingbob” City, posting to Twitter/X across the time of his sentencing on Aug. 20.
A courtroom transcript (PDF) from a standing listening to in February 2025 reveals City was telling the reality concerning the hacking incident that occurred whereas he was in federal custody. The decide informed attorneys for each side {that a} co-defendant within the California case was looking for out about Mr. City’s exercise within the Florida case, and that the hacker accessed the account by impersonating a decide over the cellphone and requesting a password reset.
Allison Nixon is chief analysis officer on the New York primarily based safety agency Unit 221B, and simply one of many world’s main specialists on Com-based cybercrime exercise. Nixon stated the core downside with legally prosecuting well-known cybercriminals from the Com has historically been that the highest offenders are typically underneath the age of 18, and thus troublesome to cost underneath federal hacking statutes.
In the USA, prosecutors usually wait till an underage cybercrime suspect turns into an grownup to cost them. However till that day comes, she stated, Com actors typically really feel emboldened to proceed committing — and fairly often bragging about — critical cybercrime offenses.
“Right here we’ve got a particular class of Com offenders that successfully get pleasure from authorized immunity,” Nixon informed KrebsOnSecurity. “Most get recruited to Com teams when they’re older, however of those who be a part of very younger, comparable to 12 or 13, they appear to be probably the most harmful as a result of at that age they haven’t any grounding in actuality and a lot longevity earlier than they exit their authorized immunity.”
Nixon stated U.Okay. authorities face the identical problem after they briefly detain and search the properties of underage Com suspects: Specifically, the teenager suspects merely go proper again to their respective cliques within the Com and begin robbing and hurting individuals once more the minute they’re launched.
Certainly, the U.Okay. courtroom heard from prosecutors final week that each Scattered Spider suspects have been detained and/or searched by native legislation enforcement on a number of events, solely to return to the Com lower than 24 hours after being launched every time.
“What we see is these younger Com members change into vectors for perpetrators to commit enormously dangerous acts and even baby abuse,” Nixon stated. “The members of this particular class of people that get pleasure from authorized immunity are assembly up with overseas nationals and conducting these typically heinous acts at their behest.”
Nixon stated many of those people have few associates in actual life as a result of they spend just about all of their waking hours on Com channels, and so their whole sense of identification, neighborhood and self-worth will get wrapped up of their involvement with these on-line gangs. She stated if the legislation was such that prosecutors might deal with these individuals commensurate with the quantity of hurt they trigger society, that will most likely clear up plenty of this downside.
“If legislation enforcement was allowed to maintain them in jail, they might give up reoffending,” she stated.
The Occasions of London experiences that Flowers is dealing with three fees underneath the Laptop Misuse Act: two of conspiracy to commit an unauthorized act in relation to a pc inflicting/creating threat of significant injury to human welfare/nationwide safety and considered one of trying to commit the identical act. Most sentences for these offenses can vary from 14 years to life in jail, relying on the affect of the crime.
Jubair is reportedly dealing with two fees within the U.Okay.: Certainly one of conspiracy to commit an unauthorized act in relation to a pc inflicting/creating threat of significant injury to human welfare/nationwide safety and considered one of failing to adjust to a piece 49 discover to reveal the important thing to protected info.
In the USA, Jubair is charged with laptop fraud conspiracy, two counts of laptop fraud, wire fraud conspiracy, two counts of wire fraud, and cash laundering conspiracy. If extradited to the U.S., tried and convicted on all fees, he faces a most penalty of 95 years in jail.
In July 2025, the UK adopted Australia’s instance in banning victims of hacking from paying ransoms to cybercriminal teams except accredited by officers. U.Okay. organizations which can be thought of a part of important infrastructure reportedly will face a whole ban, as will your entire public sector. U.Okay. victims of a hack at the moment are required to inform officers to raised inform policymakers on the dimensions of Britain’s ransomware downside.
For additional studying (bless you), take a look at Bloomberg’s poignant story final week primarily based on a yr’s value of jailhouse interviews with convicted Scattered Spider member Noah City.
