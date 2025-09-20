A UK teenager, Thalha Jubair, has been arrested and charged for allegedly being a member of the notorious Scattered Spider cybercrime gang. Jubair is accused of orchestrating attacks that resulted in over $115 million in ransom payments from more than 100 organizations. The charges include computer fraud, wire fraud, and money laundering, with the U.S. federal court system among the victims. The investigation involved tracing cryptocurrency transactions, including gift card purchases for gaming and food delivery tied to Jubair's identity, and data exfiltration from compromised networks. Evidence also included chat logs detailing the ransom demands and payments. Law enforcement seized a significant amount of cryptocurrency from wallets linked to Jubair. The case reveals how cybercriminals operate and the methods used to track and apprehend them.

Thalha Jubair , a UK teenager, was arrested on Tuesday and accused of being a member of the Scattered Spider cybercrime gang. He is alleged to have played a significant role in extorting over 100 organizations for at least $115 million in ransom payments. Law enforcement officials apprehended him following a series of clues, including cryptocurrency transactions tied to his identity.

Despite attempts to remain anonymous, Jubair allegedly participated in around 120 network intrusions, with at least 47 targeting US-based organizations. His alleged ransomware activities were exposed by critical mistakes. Notably, cryptocurrency from a wallet on a server containing ransom funds was used to purchase gift cards for gaming and food delivery, which were linked to his account and delivered to his apartment. The US Justice Department charged Jubair with multiple conspiracies related to computer and wire fraud, as well as money laundering, linked to the Scattered Spider attacks between May 2022 and the current month. The criminal complaint specifically names the US federal court system as a victim. The digital intrusion, which occurred in early January, led to account takeovers and data exfiltration, including sensitive information of court personnel. The attackers accessed accounts, including that of a federal magistrate judge, and searched the judge's inbox for specific terms like 'subpoena' and 'Scattered Spider'. They allegedly used a compromised account to request sensitive customer account information from a financial services provider. Seven other US-based victims, identified as Company-1 through Company-7, were also targeted. These included a manufacturer, an entertainment firm, two retailers, two financial services companies, and a critical infrastructure firm. In these cases, the attackers gained network access through social engineering techniques, often by targeting help desks to reset passwords. The criminals then stole sensitive data, sometimes encrypting it, and demanded ransom payments for its return or decryption. Victims paid a total of at least $89.5 million in bitcoin. In some instances, organizations paid multiple ransom sums. The two highest ransom payments, made by the financial institutions, amounted to over $25 million and $36.2 million respectively, in bitcoin. Portions of the ransom payments from at least five victims were traced to wallets on a server the FBI identified as controlled by Jubair. Law enforcement seized about $36 million in cryptocurrency from wallets on that server. In July 2024, during the seizure operation, Jubair allegedly transferred approximately $8.4 million in cryptocurrency from a wallet on the server to another wallet. Documents and online chats also implicate Jubair. In October 2023, using the Telegram account 'Brad' with the handle @autistic, he discussed cyber intrusions at roughly 40 companies with a co-conspirator. During one conversation, he informed them that Victim Company-4 intended to pay $25 million, and shortly after that the ransom was paid. Blockchain analysis of a wallet on the seized server revealed that cryptocurrency was used to buy gift cards for a food delivery company. Law enforcement shared the associated information with the food delivery service, which then provided details related to an account used to order deliveries to Jubair's apartment complex. A delivery for this account was made to his apartment complex as recently as May 13, 2024





