This week, authorities in the United Kingdom detained four suspected members of “Scattered Spider,” a notorious data stealing and extortion collective that recently targeted multiple airlines and the British retail chain Marks & Spencer.
Scattered Spider refers to an English-speaking cybercrime outfit recognized for employing social engineering strategies to infiltrate organizations and extract data for ransom. They often impersonate staff or contractors to mislead IT help desks into providing access. Last month, the FBI alerted that Scattered Spider had changed its focus to companies in the retail and airline industries.
The National Crime Agency (NCA) of the U.K. refrained from confirming the identities of those apprehended, stating merely that two were 19 years old, one was 17, and a female was 20. The NCA reported that the individuals faced charges related to cyberattacks on Marks & Spencer, as well as the British brands Harrods and Co-op Group.
KrebsOnSecurity has uncovered the identities of the two 19-year-old suspects. Numerous sources connected to the investigation indicated that one of the apprehended individuals is Owen David Flowers, a U.K. resident believed to have been involved in the cyber breach and ransomware incident that paralyzed several MGM Casino locations in September 2023. These same sources informed that the woman arrested is either involved in a relationship with Flowers or had recently ended one.
Sources informed KrebsOnSecurity that Flowers, who reportedly used hacker aliases “bo764,” “Holy,” and “Nazi,” was the member who anonymously provided interviews to the media shortly after the MGM breach. His actual name was omitted from a September 2024 article about the group as he had not yet faced charges for that incident.
The more prominent arrest within the Scattered Spider operation is Thalha Jubair, a man from the U.K. whose alleged activities under various aliases have been extensively reported. Jubair is believed to have operated under the alias “Earth2Star,” linked to a founding member of the cybercrime-centered Telegram group “Star Fraud Chat.”
In 2023, KrebsOnSecurity conducted an investigation of three distinct SIM-swapping gangs that phished credentials from T-Mobile employees, exploiting that access to provide a service capable of transitioning any T-Mobile phone number to a new device. Star Chat was undoubtedly the most prolific and impactful of these SIM-swapping groups, collectively breaching T-Mobile’s networks over 100 times in the latter half of 2022.
Jubair allegedly operated under the names “Earth2Star” and “Star Ace,” and was a central figure in a prominent SIM-swapping organization in 2022. Star Ace shared this image in the Star Fraud chat channel on Telegram, outlining various costs for SIM-swaps.
According to sources, Jubair was also a key member of the LAPSUS$ cybercrime organization that breached numerous tech firms in 2022, pilfering source code and other sensitive data from major tech corporations including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
In April 2022, KrebsOnSecurity released internal chat logs from LAPSUS$, revealing that Jubair was using the aliases Amtrak and Asyntax. During one interaction, Amtrak cautioned the LAPSUS$ group leader against sharing T-Mobile’s logo in the images sent to the group due to previously being caught for SIM-swapping, which raised suspicions with his parents.
As illustrated in those conversations, the LAPSUS$ leader ultimately opted to betray Amtrak by disclosing his real name, contact number, and other hacker aliases in a public Telegram chat.
In March 2022, the leader of the LAPSUS$ data extortion group revealed Thalha Jubair’s name and hacker monikers in a public chatroom on Telegram.
That report concerning the leaked LAPSUS$ conversations connected Amtrak/Asyntax/Jubair to the alias “Everlynn,” the creator of a criminal service that offered fraudulent “emergency data requests” targeting leading social media and email providers. These schemes involved hackers compromising email accounts related to law enforcement and government bodies, subsequently sending unauthorized requests for subscriber data, asserting that the requested information could not wait for a court order due to its urgent nature.
The membership roster of the now-defunct “Infinity Recursion” hacking group, from which some members of LAPSUS$ have emerged.
Sources indicate that Jubair also utilized the nickname “Operator,” and until recently he managed the Doxbin, a long-standing and highly toxic online community intended for “doxing” or releasing highly personal information about individuals. In May 2024, several prominent cybercrime channels on Telegram mocked Operator after it was disclosed that he had staged his own abduction in a failed attempt to mislead law enforcement officials.
In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider collective, which has long depended on enlisting minors for its most perilous operations. In fact, many of the group’s core participants were drawn from online gaming platforms such as Roblox and Minecraft during their early teen years, honing their social engineering skills over several years.
“There is a distinct trend showing that some of the most nefarious threat actors entered cybercrime gangs at an alarmingly young age,” remarked Allison Nixon, chief research officer at the New York-based security firm Unit 221B. “Cybercriminals arrested at 15 or younger require substantial intervention and supervision to avert a long-term escalation.”