Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-week trial.
Thalha Jubair, 20, of East London and 18-year-old Owen Flowers of Walsall admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. According to a report from the BBC, Flowers alone admitted to being part of a conspiracy to hack into U.S. based healthcare providers SSM Health Care Corporation and Sutter Health in September 2024.
Jubair is also wanted by U.S. law enforcement agencies. In September 2025, prosecutors in New Jersey unsealed an indictment alleging Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025, and that the group’s victims paid at least $115 million in ransom payments.
In July 2025, KrebsOnSecurity reported that Flowers and Jubair were arrested in the United Kingdom in connection with Scattered Spider ransom attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. Multiple sources familiar with those investigations said Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.
According to prosecutors, Jubair co-ran a bustling Telegram channel called Star Chat, the home of a SIM-swapping group that used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K. The group would then use that access to sell a service that could redirect a target’s phone number to a device the attackers controlled and intercept the victim’s calls and text messages (including one-time codes for multi-factor authentication).
New Jersey prosecutors also allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single sign-on credentials from employees at hundreds of companies. That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal.
KrebsOnSecurity reported last year that one of Jubair’s alter egos at age 15 was “Everlynn,” a hacker who sold fraudulent “emergency data requests” that used compromised police and government email addresses to demand subscriber data (e.g. username, IP/email address) from major tech companies, claiming the requests concerned urgent matters of life and death and could not wait for a court order.
In April 2026, 24-year-old British national and Scattered Spider member Tyler “Tylerb” Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft for participating in the group’s SMS phishing spree in the summer of 2022. The government said Buchanan, Jubair and others used the credentials harvested in that phishing campaign to steal at least $8 million in cryptocurrency from victims throughout the United States. Buchanan is currently scheduled to be sentenced on October 2.
In August 2025, 20-year-old Scattered Spider member from Florida named Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution, after pleading guilty to charges of wire fraud and conspiracy.
The U.S. Department of Justice says three alleged Scattered Spider defendants indicted along with Buchanan still face charges, including Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina.
Flowers and Jubair are slated to be sentenced in a London court on July 15, 2026.
More stupid young people throwing their lives away.
They will serve some time and get a great job working at a GCHQ cut out org via the The “Cyber Choices” Program, if not there then some big cyber security company will hire them, its a bit like Better Call Saul, the best criminal lawyers are criminals!
Why is it that pretty much every time cyber crooks are punished, someone will chime in and claim they will get a cushy job some letter agency or security consultancy?
To be hired you need the right skill set. And much more importantly: you need to be deemed trustworthy. That rules out pretty much any job that requires clearance, because for some crazy reason, most gov’t agencies do not consider ex-cons trustworthy.
Nobody’s going to bust out a couple of shameless, reckless social engineering guys. It’s really not like these guys are misunderstood geniuses who were too curious for their own good.
Smart young adults potentially throwing their future away. Sigh…
A friend of my nephew is a 23 year old guy with obvious talent who seems to be uninterested in a job.
I think he wants me to retire and has the idea that he can take my job. However, he has neither the knowledge nor the temperament to do the job. He’s too much of a hothead and thinks that he knows absolutely everything about everything, especially computers and electronics.
For example, when he first came to town, he was helping my nephew run a cable in someone’s house. They ran three cables and couldn’t get any of the runs to work. He claimed the cable was rotten, that the connectors were bad, and that the cable tool was broken. There was nothing wrong with any of that — the issue is with his own arrogant belief that nothing is ever his fault.
He is not my employee — he has too many red flags for me to consider him for a job.
Nah, no ‘ccomplices.
What must their parents think?
Should we expect more arrests soon?
While it is difficult to trace many spammers and scammers through the cyberlabyrinth of the WWW, it is heartening to see that over time, more of these lost souls are being caught.
The sad thing is that so many of them are still kids. The question of what their parents must think makes me wonder if they were even present at all. Parenting usually involves some kind of monitoring to see what your kid is doing online for so long before they get to the age these doofuses are at, where they inevitably make some kind of mistake and get caught. They are old enough now to know better… and to face the consequences as well.
…parents just need to tell their kids “don’t be a f***ing thief!”. Say it enough times and they’ll get it. Teach the basics of morality.
Hello, Brian:
If I recall, you said that Scattered Spider has a robust, large recruiting base. From what I remember, less than a dozen of them have been apprehended, and most of them were not high-level members, although from what I can garner from your site and a few others, the Vegas ransomings were particularly treacherous.
Do you have any idea what the current rough count is of active members, according to the threat researchers? I am guessing most of its ersatz members don’t know much about any of the others so I doubt previous models to round em all up would work.
The catch all name seems kind of deceptive, especially to C-level types who don’t even get they can be ransomed months later by other people that most reporters and companies might call the same group. Are they really?
Thanks.
I don’t think the courts and laws have caught up with what should be more severe penalties for cyber crimes; they don’t quite get the blast radius of the infractions. Kids on the street stealing far far less and effecting almost no one, often get much harsher sentences in comparison.
They are more connected than people think. Just like the jellyfish-like drone swarms. I wouldn’t be so quick to assume they aren’t mutually aware, like some effed up MUFON.
Hacking sure wasn’t like that fifteen years ago.
And wouldn’t you know it they wanted fictional time machines then also.
“Throwing their lives away” to be future security consultants when they do their face turn.
Nah, the world doesn’t work like that usually anymore, and there are plenty of folks straddling that line that didn’t get caught left to hire. Assuming there is even an equivalent skill set in demand five, eight, ten, whatever years from now. Not saying they can’t have a life after sentencing, just that the time of the convicted felon wunderkind with a future in a field demanding trust, as a given, is long gone.
Check, garçon!
The TFL hack started on 31st August, and Flowers was arrested for it on 6th September. So clearly no opsec skills. They had to plead guilty as the evidence included videos and screenshots that these idiots had saved to their own personal devices.
Man, it’ll be interesting to see what kind of time these two Meduza reporters are gonna get (and if the Puzata Hata will accept their non-activated American gift cards with zero balances for their spring salad and pelmini back when everyone was playing soccer in Kiev).
I always wonder what role the parents play in having teenagers who engage in this criminal activity. These kids reap huge financial rewards – don’t the parents see that? Are they really that clueless? Perhaps they should share some of the responsibility for all the harm their child causes others.
Juvenile computer crime and hacking recidivism rates aren’t generally tracked so I also wonder how many commit post-incarceration crimes.
WELCOME TO BACOB JUTLER CAFE!
FREE MY NIGGA DORT HE AINT DONE NOTHNIN
These two upstanding citizens have a bright future in the Trump organization, Big-Balls better watch out for these two. And I don’t see them being on many dates with girls either, but getting beat up by girls yes 😉
Shouldn’t this sort of post be on something like t4r4ñt3lla.onion or something, not this site?