In a landmark development for international cybercrime enforcement, two key members of the notorious hacking collective "Scattered Spider" have pleaded guilty in a United Kingdom court. The pair, Thalha Jubair, 20, and Owen Flowers, 18, admitted to a string of devastating cyberattacks that crippled critical infrastructure, including London’s public transport network, and compromised major healthcare providers across the United States.
Their guilty pleas, entered on the first day of what was scheduled to be a grueling six-week trial, mark a significant victory for law enforcement agencies on both sides of the Atlantic. These convictions provide a rare, intimate look into the operational mechanics of one of the world’s most prolific and destructive cybercrime syndicates.
The Core Admissions: Crimes Against Infrastructure
Thalha Jubair of East London and Owen Flowers of Walsall stood before a UK court this week, acknowledging their roles in a sophisticated criminal conspiracy. Specifically, both men pleaded guilty to conspiring to commit unauthorized acts against the computer systems of Transport for London (TfL)—the body responsible for managing the entirety of London’s public transit infrastructure. Their actions in August 2024 caused widespread disruption to the city’s transport services, raising significant concerns regarding the safety and welfare of millions of commuters.
In addition to the TfL attack, Flowers admitted to his participation in a separate, equally sinister conspiracy: the hacking of major U.S.-based healthcare providers, specifically SSM Health Care Corporation and Sutter Health, in September 2024. These admissions highlight a disturbing trend where cyber-criminal organizations are increasingly targeting the backbone of civilian life—transportation and healthcare—to maximize leverage and ransom payments.
A Chronology of Chaos: From Phishing to Global Extortion
To understand the magnitude of these convictions, one must look at the timeline of the "Scattered Spider" reign of terror, a group that evolved from small-scale digital mischief to multi-million-dollar global extortion.
The 2022 Genesis: The SMS Phishing Spree
The foundation of the group’s success was laid in the summer of 2022, when they launched a massive SMS phishing campaign. By masquerading as trusted entities, the hackers harvested single sign-on (SSO) credentials from thousands of employees at over 130 organizations. This campaign facilitated unauthorized access to high-profile companies, including LastPass, DoorDash, Mailchimp, Plex, and Signal.
The 2023 Casino Disruptions
By September 2023, the group had escalated their activities. They executed high-profile ransomware attacks against MGM Resorts and Caesars Entertainment in Las Vegas. These attacks brought the world’s entertainment capital to a standstill, locking hotel systems, slot machines, and booking portals. Sources close to the investigation have identified Flowers as the individual who acted as the public face of the group during this time, conducting media interviews to boast about the successful disruption.
The 2024–2025 Escalation
The group’s reach continued to expand throughout 2024 and 2025. Investigations into the UK-based hackers revealed their involvement in attacks against retail giants such as Marks & Spencer, Harrods, and the Co-op Group. During this period, Jubair was identified as a co-operator of "Star Chat," a Telegram-based hub for SIM-swapping services. Using stolen employee credentials from major wireless providers, the group successfully redirected phone numbers to their own devices, allowing them to intercept one-time multi-factor authentication (MFA) codes and drain victim accounts.
Supporting Data: The Cost of the Scattered Spider
The sheer scale of the financial damage attributed to Scattered Spider is staggering. According to a U.S. indictment unsealed in New Jersey, Jubair and his associates were involved in at least 120 distinct network intrusions across 47 U.S. entities between May 2022 and September 2025.
The group’s financial model was highly effective: they successfully extorted at least $115 million in ransom payments. Further analysis by the Department of Justice reveals that the group utilized harvested credentials from the 2022 phishing campaign to siphon at least $8 million in cryptocurrency from unsuspecting victims.

A History of "Emergency" Deception
Evidence unearthed by cybersecurity researchers, specifically KrebsOnSecurity, suggests that Jubair’s criminal career began at a young age. Using the online pseudonym "Everlynn," he was allegedly selling fraudulent "emergency data requests." By compromising law enforcement email addresses, he would trick major technology companies into surrendering private user data—such as IP addresses and account details—by claiming the requests were matters of life and death, thereby bypassing the need for legal court orders.
Official Responses and International Cooperation
The successful prosecution of Flowers and Jubair is the result of unprecedented cooperation between the UK’s National Crime Agency (NCA) and U.S. federal authorities, including the Department of Justice and the FBI.
The U.S. Legal Landscape
In the United States, the legal net continues to tighten around the group’s periphery. In April 2026, Tyler "Tylerb" Buchanan, a 24-year-old British national, pleaded guilty to wire fraud and aggravated identity theft. His sentencing is currently set for October 2. Meanwhile, in August 2025, Noah Michael Urban, a 20-year-old from Florida, was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution.
Despite these successes, the Department of Justice maintains that the fight is far from over. Three other individuals named in the same indictment remain the subjects of intense pursuit:
- Ahmed Hossam Eldin Elbadawy ("AD"), 24, of College Station, Texas.
- Evans Onyeaka Osiebo, 21, of Dallas, Texas.
- Joel Martin Evans ("joeleoli"), 26, of Jacksonville, North Carolina.
Implications: The Future of Cyber-Defense
The conviction of Flowers and Jubair serves as a stark reminder of the evolving nature of the digital threat landscape.
The End of Anonymity
For years, Scattered Spider operated under the assumption that their use of encrypted communication tools, VPNs, and pseudonyms would protect them from discovery. These convictions prove that even the most tech-savvy criminals leave behind a "digital breadcrumb trail" that, with enough persistence and international cooperation, can be reconstructed by law enforcement.
The Human Element
The group’s success was not built on groundbreaking, zero-day software vulnerabilities alone, but rather on the manipulation of the "human element." By targeting employees through SMS phishing, SIM-swapping, and social engineering, they bypassed expensive firewalls and encryption protocols. This underscores a critical shift for cybersecurity professionals: the greatest vulnerability in any organization remains the human user.
A Warning to Future Actors
The sentencing of Flowers and Jubair, scheduled for July 15, 2026, in London, will be closely watched by the global security community. It serves as a definitive warning to those who believe that cyber-criminality is a victimless or "low-risk" endeavor. As national governments begin to categorize cyberattacks on public infrastructure as threats to national security, the penalties for these crimes are increasing, and the appetite for leniency is diminishing.
Ultimately, the dismantling of a core cell of Scattered Spider represents a maturation of global cyber-policing. While new groups will inevitably emerge to fill the void, the successful identification, extradition, and conviction of these individuals provide a blueprint for how democratic nations can work together to secure their digital borders against those who seek to profit from the collapse of public systems.
