The 19-year-old U.K. national who was arrested at his London residence last week was a highly prolific cybercriminal and a core member of the nebulous hacker subset of The Com, researchers told CyberScoop.

Authorities’ yearslong quest to uncover the identities of Scattered Spider associates and charge them with serious crimes reached a tipping point with last week’s arrest of Thalha Jubair, who is accused of direct, prominent involvement in at least 120 cyberattacks, including extortion of 47 U.S.-based organizations and the January attack on the U.S. federal court system. 

Authorities said they traced a combined total of at least $89.5 million in cryptocurrency, at the time of payments, to Bitcoin addresses and servers controlled by Jubair. Two financial services firms paid Jubair $25 million and $36.2 million, respectively, in Bitcoin between June and November 2023, according to an unsealed criminal complaint against Jubair. 

The high number of attacks and ransom payments officials linked to Jubair highlights the central role he played in attacks more broadly attributed to Scattered Spider. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said Jubair was one of the principal operators behind the loose-knit cybercrime network. 

“He was one of the four principal people that we associated with Scattered Spider,” and one of the two most core players, Meyers told CyberScoop. 

Other cybercrime experts shared similar assessments of Jubair’s involvement and importance to Scattered Spider’s sweeping extortion scheme. While The Com, of which Scattered Spider is an offshoot, doesn’t operate with formal leaders in the traditional sense, Jubair acted as a leader, said Jon DiMaggio, chief security strategist at Analyst1.

“There are many other pockets of activity within the broader collective, and I would consider Jubair a leader within several of the clusters he supported and influenced,” DiMaggio said. 

Flashpoint analysts described Jubair as a large player within these communities who participated in attacks against multiple sectors for years. “Their growth and evolution appear consistent with the growth and scale of attacks ascribed to Scattered Spider,” analysts at the threat intelligence company said in an email.

Federal authorities attribute Scattered Spider to attacks on organizations in many sectors, including manufacturing, entertainment, retail, aviation, insurance, finance, business process and customer service outsourcing, construction, hospitality, technology, telecommunications and multiple forms of critical infrastructure. Victims of those attacks paid at least $115 million in ransom payments, authorities said.

“They were cleaning up, and this is just the amount the FBI knows about,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in a post on LinkedIn.

Researchers knew the identity of Jubair, who went by many aliases online including “EarthtoStar,” “Brad,” “Austin,” “Everylynn” and “@autistic,” for more than a year. He was on their radar, and even more so after law enforcement seized cryptocurrency worth about $36 million at the time on wallets stored on a server allegedly controlled by Jubair in July 2024. 

“It did take several years and they had quite a run when everybody was paying attention to them,” Meyers said. Officials “knew who he was a year ago. I think what it highlights is that they needed a way to be able to make a case, which is where law enforcement, frankly, ends up at a bit of a disadvantage.”

Investigators bolstered their case against Jubair through blockchain analysis. Officials said they traced cryptocurrency transactions from a wallet on a server Jubair controlled to gift card purchases that were used for a food delivery service to his apartment complex and a gaming account. 

“His arrest underscores the difficulties in remaining anonymous online,” Flashpoint analysts said. 

While Jubair was “extremely careful,” using an amnesiatic operating system — which is designed to forget everything a user does after it’s shut down — and virtual private networks, according to Meyers, his personal activity led investigators to his doorstep.

Jubair faces charges in the United Kingdom and United States. U.K. authorities last week charged him for crimes related to the cyberattack on the Transport for London in September 2024. He was also charged in the U.S. District Court for the District of New Jersey with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy.

The Justice Department hasn’t said if efforts are underway to extradite Jubair to the United States, where he faces up to 95 years in prison if convicted.

While veteran threat hunters hail Jubair’s arrest, they remain exasperated by the persistent challenges and delays that were highlighted by a case involving a known and allegedly highly prolific cybercriminal. 

“It took a long time. There’s still a lot of frustration in how long it took, and how much information we had on these guys and the way that the investigation went down,” Meyers said. 

Nonetheless, Jubair’s “arrest is a big deal, maybe one of the biggest in this circle,” DiMaggio said. 

“Given Jubair’s alleged involvement across many operations and aliases, removing him likely hurts how things are done in multiple criminal clusters. It might force others to change how they operate or slow some attacks,” he added. 

“But because the group is spread out and loosely organized, I don’t think this one arrest stops things entirely,” DiMaggio said. Jubair’s arrest is “very impactful, and among the most important arrests in The Com so far, but we shouldn’t assume it’s a knockout blow.”

The post Teen arrested in UK was a core figure in Scattered Spider’s operations appeared first on CyberScoop.

Two teenagers were arrested in the United Kingdom this week, accused of associating with the sprawling criminal collective known as The Com, and participating in many high-profile and damaging cyberattacks on critical infrastructure globally.

Thalha Jubair, 19 of London, and Owen Flowers, 18 of Walsall, England, were arrested at their residences Tuesday and charged with crimes related to the cyberattack on the Transport for London in September 2024, the U.K.’s National Crime Agency said.

Jubair and Flowers were allegedly highly involved in many other cyberattacks attributed to Scattered Spider, a nebulous offshoot of The Com that commits ransomware and data extortion. The Com is composed of thousands of members, splintered into three primary subsets of interconnected networks that commit swatting, extortion and sextortion of minors, violent crime and various other cybercrimes, according to the FBI.

The Justice Department on Thursday unsealed charges against Jubair, a U.K. national, accusing him of participating in at least 120 cyberattacks as part of Scattered Spider’s sweeping extortion scheme from May 2022 to September 2025, including 47 U.S.-based organizations. Victims of those attacks paid at least $115 million in ransom payments, authorities said. 

“These malicious attacks caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, highlighting the significant and growing threat posed by brazen cybercriminals,” Matthew Galeotti, acting assistant attorney general in the Justice Department’s Criminal Division, said in a statement. 

Jubair and co-conspirators allegedly broke into networks of U.S. companies via social engineering, stole and encrypted data, demanded ransom payments and committed money laundering. 

Law enforcement seized cryptocurrency wallets on a server allegedly controlled by Jubair in July 2024 and seized cryptocurrency worth about $36 million at the time. He allegedly transferred a portion of cryptocurrency that originated from one of his victims, worth about $8.4 million at the time, to another wallet.

Authorities also specifically accused Jubair, also known as “EarthtoStar,” “Brad,” “Austin” and “@autistic,” of intruding networks of a U.S.-based critical infrastructure company and the U.S. courts in October 2024 and January 2025.

Flowers was initially arrested by British police last year for his alleged involvement in the attack on Transport of London, just days after the incident. At that time, investigators found evidence of and have since charged Flowers for alleged involvement in other attacks, specifically those targeting U.S.-based health care companies SSM Health Care Corp. and Sutter Health in 2023. 

“Finally,” Allison Nixon, chief research officer at Unit 221B, said in reaction to news of Jubair and Flowers’ arrests. “Jubair and Flowers are like many members of The Com who seek to achieve heroic status by committing so many crimes they get famous for harming society on a massive scale.”

Jubair is charged in the U.S. District Court for the District of New Jersey with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. He faces up to 95 years in prison if convicted.

Jubair and Flowers were both scheduled to appear in court in the U.K. on Thursday to face charges under the country’s Computer Misuse Act. 

The Justice Department didn’t say if efforts are underway to extradite Jubair to face charges in the United States. The agency did not immediately respond to a request for comment. 

“Today’s charges make it clear that no cybercriminal is beyond our reach,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “If you attack American companies or citizens, we will find you, we will expose you and we will seek justice.”

The post UK arrests two teens accused of heavy involvement in yearslong Scattered Spider attack spree appeared first on CyberScoop.

A 20-year-old Florida man received a 10-year federal prison sentence Wednesday for his role in the notorious Scattered Spider cybercrime organization, marking the first conviction of a member from the group responsible for breaching more than 130 major companies.

Noah Michael Urban, 20, of Palm Coast, Fla., pleaded guilty to conspiracy, wire fraud and aggravated identity theft charges in two separate federal cases spanning Florida and California. A federal judge sentenced Urban to 120 months in prison with three years of supervised release and ordered him to pay $13 million in restitution to victims.

The sentence exceeded federal prosecutors’ recommendation of eight years, reflecting the scope of Urban’s criminal activities that investigators say caused between $9.5 million and $25 million in total losses.

Urban operated under multiple online aliases including “King Bob,” “Sosa,” and “Gustavo Fring” while participating in sophisticated cybercrime schemes from 2021 to 2023. In the Florida case, prosecutors said Urban and co-conspirators used SIM swapping techniques to steal at least $800,000 in cryptocurrency from five victims between August 2022 and March 2023.

SIM swapping involves convincing telecom providers to transfer a victim’s phone number to a device controlled by criminals, allowing them to bypass two-factor authentication and reset passwords for financial accounts.

The California charges stemmed from a broader conspiracy involving four other defendants who conducted phishing attacks against company employees from September 2021 to April 2023. The group sent text messages claiming employee accounts would be deactivated, directing targets to fraudulent websites designed to steal login credentials.

Urban’s case provides insight into the operations of Scattered Spider, a cybercrime group that security researchers also track under names including 0ktapus and UNC3944. The organization has been linked to high-profile breaches at companies including Twilio, LastPass, DoorDash, Mailchimp, Caesars Entertainment, and MGM Resorts.

Urban was a core member of the group and a prominent figure in “The Com,” an online forum where hackers share social engineering techniques. Federal investigators believe Scattered Spider evolved from this broader community of young, English-speaking cybercriminals.

The sentencing comes as Scattered Spider has resumed activity following a brief lull after the MGM attack. The group launched new attacks in 2025 targeting airlines, insurance companies, and retailers, according to security firms and government agencies.

Four other defendants in the California case remain at various stages of prosecution, with one British national arrested in Spain and others still at large.

The post Florida man gets 10 years in prison in first Scattered Spider sentencing appeared first on CyberScoop.

A 20-year-old Florida man at the center of a prolific cybercrime group known as “Scattered Spider” was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.

Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.

Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com reports the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.

In November 2024 Urban was charged by federal prosecutors in Los Angeles as one of five members of Scattered Spider (a.k.a. “Oktapus,” “Scatter Swine” and “UNC3944”), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.

The targeted SMS scams spanned several months during the summer of 2022, asking employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.

That phishing spree netted Urban and others access to more than 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.

For many years, Urban’s online hacker aliases “King Bob” and “Sosa” were fixtures of the Com, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or “grails” he later sold or gave away on forums.

Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.

The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022.

Reached via one of his King Bob accounts on Twitter/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.

“The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,” Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. “He should have been removed as a judge much earlier on. But staying in county jail is torture.”

A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, where a copy of Urban’s sealed indictment was stolen. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case.

“What it ultimately turned into a was a big faux pas,” Judge Harvey E. Schlesinger said. “The Court’s password…business is handled by an outside contractor. And somebody called the outside contractor representing Judge Toomey saying, ‘I need a password change.’ And they gave out the password change. That’s how whoever was making the phone call got into the court.”

The FBI released a trove of research on The Com last week, warning that the sprawling cybercriminal network of minors and young adults is growing rapidly and splintering into three primary subsets described by officials as Hacker Com, In Real Life Com and Extortion Com.

The warnings lay out how The Com’s thousands of members, typically between 11 and 25 years old, pose a rising threat, especially to youth online, the FBI said. Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes, the bureau said.

“The motivations behind the criminal activity vary, but often fall within one of the following: financial gain, retaliation, ideology, sexual gratification and notoriety,” the FBI said in a public service announcement.

Crimes attributed to members of The Com have grown increasingly complex, with perpetrators going to great lengths to mask identities, hide financial transactions and launder money. The Com generally targets young and impressionable people for recruitment on gaming sites and social media platforms to indoctrinate them into their ideology, officials said.

Various subsections of this group have been linked to high-profile crimes over the past few years. In April, two men accused of leading a Com offshoot known as “764” were charged with operating an international child exploitation enterprise. Scattered Spider, another offshoot, tends to focus on cybercrime like ransomware and data extortion. 

Allison Nixon, chief research officer at Unit 221B, commended the level of detail the FBI shared across the series of PSAs, noting that the agency left nothing of importance out of its warnings. Nixon has studied domestic and English-speaking cybercrime and tracked its rise for more than a decade.

“The assessments in this PSA are consistent with what we have seen. There has been a population explosion in The Com and it is good to see law enforcement respond to this — not just with a PSA but with real crackdowns,” she said.

“Hopefully this PSA helps the public understand that many cybercrime arrests nowadays implicate gang violence and sexual crime against children, by children.”

Hacker Com

Hacker Com members are involved in a vast array of cybercrime activities, including distributed denial-of-service attacks, personally identifiable information theft, the sale of government email accounts, ransomware attacks, phishing, malware development and deployment, cryptocurrency theft, intrusions and SIM swapping, according to the FBI.

Scattered Spider, which is responsible for attacks on more than 100 businesses since 2022, is included in this subset.

This subset of The Com uses remote access trojans, phishing kits, voice over internet protocol providers, voice modulators, virtual private networks, cryptocurrency cash-out services, live-streaming services and encrypted email domains, officials said.

“Open-source information indicates Hacker Com groups are responsible for high-profile attacks and intrusions and have affiliations with ransomware organizations,” the FBI said in a PSA dedicated solely to Hacker Com.

The group also has been observed using the same attack methods against each other. The FBI warning details how internal conflicts are common among members of The Com. Personal disputes or rivalries — often over cryptocurrency — frequently lead Hacker Com members to attack and steal from one another, the FBI said.

In Real Life (IRL) Com

Some Com subgroups have gone beyond digital means, offering swat-for-hire services and targeting members for swatting and doxxing, kidnapping and physical extortion, which the FBI refers to as “IRL Com.” 

“The intensification of these online conflicts has resulted in the emergence of a new layer of The Com known as In Real Life (IRL) Com, which includes subgroups that aim to facilitate real world acts of violence, oftentimes resulting from online conflicts,” the FBI said.

Acts of physical violence have intensified and expanded to other layers of The Com, as multiple subgroups adopt similar methods of retaliation, the FBI said in a PSA dedicated solely to IRL Com. Some subgroups advertise contracts on messaging apps or other social media networks to commit violence or swatting for payment. 

“IRL Com groups also see swatting as a way of gaining credibility among members; the more attention a swatting incident gets, the more attention the member receives from the group,” the FBI said. “Leaders from IRL Com groups may use swatting to ensure members of the group remain obedient. When members of the IRL Com group disobey orders or refuse to comply with demands, the member or the member’s family may become the target of swatting.”

Extortion Com

The FBI also released a PSA about a subgroup it calls “Extortion Com,” which “systematically targets underage females” and vulnerable populations, including children and those who struggle with mental health issues.

“Victims are typically between the ages of 10 and 17 years old, but the FBI has seen some victims as young as 9 years old,” the FBI said in its PSA. “Threat actors often groom their victims by first establishing a trusting or romantic relationship before eventually manipulating and coercing them into engaging in escalating harmful behavior designed to shame and isolate them.”

Officials said these acts are driven by a range of personal motives, including the pursuit of social status, sexual gratification or a sense of belonging. 

The FBI warns that members of this subgroup manipulate or coerce their victims to produce pornographic material or other videos depicting animal cruelty and self-harm, oftentimes further threatening to share the material with victims’ families, friends or other public communities on the internet.

Two alleged leaders of the child sextortion group 764 were arrested and charged for directing and distributing CSAM in April. The two men, Leonidas Varagiannis and Prasan Nepal, are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

Officials advised people to look for warning signs that a victim may be targeted by The Com and shared resources for help, including the National Center for Missing and Exploited Children’s CyberTipline and Take It Down service. Victims are encouraged to retain all information about an incident and immediately report to the FBI’s Internet Crime Complaint Center and an FBI Field Office.

The post FBI alerts tie together threats of cybercrime, physical violence from The Com appeared first on CyberScoop.