$115 million in ransom payments across 120 network intrusions hitting 47 U.S. entities. That's the tab for Scattered Spider, and two of its members just pleaded guilty on the first day of what was supposed to be a six-week trial.
Two Plead Guilty, the Bill Comes Due
Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. Flowers alone copped to a conspiracy to hack U.S. healthcare providers SSM Health Care Corporation and Sutter Health in September 2024. Their sentencing is set for July 15, 2026, in a London court.
Jubair is also wanted by U.S. law enforcement. In September 2025, New Jersey prosecutors unsealed an indictment accusing him and other Scattered Spider members of computer fraud, wire fraud, and money laundering. The tally: 120 network intrusions, 47 victim entities, at least $115 million in ransom paid out.
From Telegram SIM-Swapping to Multi-Million Dollar Extortion
Let's be direct about how they operated. Jubair co-ran a Telegram channel called Star Chat, a SIM-swapping service that used voice and SMS phishing to steal credentials from employees at major U.S. and UK wireless carriers. Once inside, they redirected victims' phone numbers to attacker-controlled devices, intercepting MFA one-time codes.
Prosecutors say Jubair also ran a mass SMS phishing campaign in summer 2022 that stole single sign-on credentials from employees at hundreds of companies. That weeks-long campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex, and Signal. At age 15, Jubair allegedly sold fraudulent emergency data requests using compromised police and government emails to demand subscriber data from tech companies.
The Ripple Effect: Healthcare, Retail, and a $13 Million Restitution Order
Scattered Spider didn't stop at credential theft. In September 2023, their ransomware attacks disrupted operations at Las Vegas casinos MGM Resorts and Caesars Entertainment. The group also hit UK retailers Marks & Spencer, Harrods, and the Co-op Group. Multiple sources told KrebsOnSecurity that Flowers was the anonymous voice giving media interviews after those attacks.
A 20-year-old Florida member, Noah Michael Urban, was sentenced in August 2025 to 10 years in federal prison and ordered to pay $13 million in restitution. Another member, Tyler Buchanan, 24, pleaded guilty in April 2026 to wire fraud conspiracy and aggravated identity theft for his role in the SMS phishing spree; he's scheduled for sentencing October 2. Three more defendants still face charges: Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans.
This case shows what happens when teenagers with Telegram channels scale up to enterprise extortion. The U.S. and UK are finally catching up, but with $115 million in ransom already collected, the damage is done.
Source: Scattered Spider Hackers Plead Guilty on Day 1 of Trial
Domain: krebsonsecurity.com
Comments load interactively on the live page.