[German]British police have arrested two suspected members of the hacker group Scattered Spider. They are believed to be young British men accused of attacks on the British police and London's transport system. The group is charged with a total of 120 hacks of computer systems worldwide.
Scattered Spider (or UNC3944) is a hacker group consisting mainly of teenagers and young adults, presumably from the US and the UK. The hacker group gained notoriety in 2023 through social media and phishing attacks and SIM swapping, and is said to consist of male members aged 19 to 22.
Four suspects had already been arrested in the UK in July 2025 (Four suspects arrested in the UK for hacking Co-op, Marks & Spencer, and Harrods, see), and a member (from Scotland) had also been arrested in Spain in June 2024 (Alleged leader of Scattered Spider arrested in Spain, see).
Two suspects arrested in the UK
On September 18, 2025, the UK National Crime Agency (NCA) announced the arrest of two men. They are 19-year-old Thalha Jubair from East London and 18-year-old Owen Flowers from Walsall, West Midlands. Both were arrested at their homes on Tuesday (September 16) by the NCA and the City of London Police.
Flowers was originally arrested for the attack on TfL on September 6, 2024. At that time, according to this statement, NCA officers identified further potential evidence of crimes against US healthcare companies.
The suspects were identified, arrested, and now charged as part of the National Crime Agency's investigation into a cyberattack on Transport for London (TfL). On August 31, 2024, TfL was the victim of a network attack that investigators believe was carried out by members of the Scattered Spider group. The indictment accuses the men of being involved in this attack.
Both suspects were remanded in custody by Westminster Magistrates Court on September 18, 2024, following charges by the Crown Prosecution Service for conspiring to commit unlawful acts against TfL under the Computer Misuse Act.
Flowers was also charged with conspiracy with others to infiltrate and damage the networks of SSM Health Care Corporation and with attempting to do the same to the networks of Sutter Health. Both organizations are based in the United States.
Jubair was additionally charged under RIPA for failing to disclose the PIN or passwords for the devices seized from him. Flowers and Jubair were remanded in custody and are both due to appear at Southwark Crown Court on October 16, 2025.
Charges also in the US
On September 18, 2025, the US Department of Justice announced that a lawsuit filed in the New Jersey District Court had been made public. British citizen Thalha Jubair was charged with conspiracy to commit computer fraud, wire fraud, and money laundering in connection with at least 120 computer network intrusions and extortion attempts against 47 US companies. The lawsuit alleges that the defendant extorted at least $115,000,000 in ransom from the victims.
According to the complaint, Thalha Jubair, also known as "EarthtoStar," "Brad," "Austin," and "@autistic" conspired with other perpetrators to use social engineering techniques to gain unauthorized access to the computer networks of US companies, steal and encrypt information, and demand ransom payments from the victims. If the ransom was paid, the victims received the keys to decrypt the data, and the exfiltrated data was apparently not distributed.
Jubair is also accused of laundering the extorted funds with other perpetrators. According to the indictment, in October 2024 and January 2025, Jubair participated in a plan to gain unauthorized access to the networks of a U.S.-based critical infrastructure company and the U.S. courts.
From May 2022 to September 2025, Jubair and his accomplices were involved in approximately 120 network intrusions, according to the indictment. This includes accessing the computer networks of at least 47 victims based in the United States. In total, the victims paid more than $115 million to Jubair and his accomplices to recover their data and prevent its disclosure.
The Scattered Spider group did not use zero-day vulnerabilities in their digital raids, but relied on classic social engineering techniques. In one of the cases brought against them, the group gained access by contacting the US court network's help desk around January 8, 2025, and persuading someone to reset a user's password. Once they were inside the network, the hackers took over two additional accounts and exfiltrated data from the network. This included the names, 15 usernames, roles, and cell phone numbers of US court employees.
The hackers then used the stolen login details to access the accounts of three users. Among them was the user account of a federal judge. According to the complaint, they searched the judge's inbox for terms such as "subpoena," the name of an accused cybercriminal, and "scattered spider."
In addition, the fraudsters are alleged to have used one of the compromised accounts to send a message to a financial services provider demanding the urgent disclosure of customer account information. The lawsuit lists seven unnamed victims (a manufacturer, an entertainment company, two retailers, two financial services companies, and a critical infrastructure company) based in the United States.
The trail of crypto money
Parts of the ransom payments from at least five victims were transferred to wallets on a server controlled by Jubair. In July 2024, while law enforcement agencies were seizing this server—including cryptocurrencies worth approximately $36 million at the time of seizure—Jubair transferred part of the cryptocurrency that came from one of the victims and was worth approximately $8.4 million at the time of the transfer to another wallet.
The arrests were preceded by lengthy investigations by the FBI and British law enforcement agencies (the FBI posted this tweet about it). The Register reports here that someone stole crypto funds from a wallet on a server that also stored ransom money from the Scattered Spider hacks. The crypto funds were used to purchase gaming vouchers linked to an account in Jubair's name. Additional vouchers for food delivery were used to order food to the apartment complex where Jubair lived. The Register also reveals further details from the complaint. The X account vxunderground also reveals some findings from the complaint in a series of tweets.
