Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multiple airlines.
The U.K.’s National Crime Agency (NCA) declined verify the names of those arrested, saying only that they included two males aged 19, another aged 17, and 20-year-old female.
Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The FBI warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.
KrebsOnSecurity has learned the identities of two of the suspects. Multiple sources close to the investigation said those arrested include Owen David Flowers, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several MGM Casino properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.
Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles “bo764,” “Holy,” and “Nazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from a September 2024 story about the group because he was not yet charged in that incident.
The bigger fish arrested this week is 19-year-old Thalha Jubair, a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname “Earth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel “Star Fraud Chat.”
In 2023, KrebsOnSecurity published an investigation into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.
Jubair allegedly used the handles “Earth2Star” and “Star Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.
Sources tell KrebsOnSecurity that Jubair also was a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
In April 2022, KrebsOnSecurity published internal chat records from LAPSUS$, and those chats indicated Jubair was using the nicknames Amtrak and Asyntax. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.
As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.
In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.
That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity “Everlynn,” the founder of a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
The roster of the now-defunct “Infinity Recursion” hacking team, from which some member of LAPSUS$ hail.
Sources say Jubair also used the nickname “Operator,” and that until recently he was the administrator of the Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.
In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.
“There is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said Allison Nixon, chief research officer at the New York based security firm Unit 221B. “Cybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”
jared antwon aka bo764 owned 764 in past he must stand charges related to child grooming as well, they sized his laptop but never inspected it, it contains recordings of his crimes also contains recordings of crimes of his team mates, including extortions of minors (including individuals who go by soldier of christ/light yagami/comfy/cloak/hibari and poodle)
it’s true cuckwon764 is one of the most sadistic and depraved individuals i’ve ever came across
didnt jared cuckwon also social engineer his way with operator, convict and reiko (valhal.la) into “orange” the romanian mobile services provider
That was rey
That was rey from bf
High greed, low fear of getting caught = recipe for disaster because the chances of getting caught increase over time. So many get caught, so few get away with it.
I heard that a person named Raven from a group known as Blood Council based in Barking & Dagenham was involved in some of the scattered spider attacks and lone attacks to children’s health care facilities
Yeah. Heard some stuff about this ‘Convict 764’ guy, real name Baron Martin. Really active dude within the ransomware scene apparently, got arrested earlier this year for CSAM. I know he’s been affiliated with a few threat actors before, but I wouldn’t ever think for him to be affiliated with Scattered Spider, this is pretty insane. I guess it does make sense as he was friends with Starfall Reiko who was involved in hacking Lenovo. Must’ve met some of Reiko’s friends and got involved in that space
this sounds legit
LMFAO are u the whore who used to larp being blasian and accused operator of raping u
if anyone interested the telechannel on paula is /@ penguinicecashouts btw
penguinclubcashouts*
my name is javin antwon and I worked with operator, but I am smoking operator pack right now, please contact me on telegram if you need more intel on their attacks: @weback1257
P.s idc about hiding my face, i hope you all like my kenzo shirt https://i.imgur.com/XSHSqyK.jpeg
its me sevy and thats not me posting comments guys please leave me alone brian leave me alone forget about me im dating another guy stop asking me about waifu i love ivan im 19 now and im a grown woman u poor
i (kush, one of the key members of the comm) was betrayed by my team in 2023 and sold out to the fbi i hate them they are getting me arrested (fbi is on my back), i need protection, im getting arrested this summer/fall
cringe loser ngga a shut up
Comments from threat actors with misinformation betray their panic. This won’t help you! You’re all going to prison!
whats so funny?
Like OP said normie; ‘You’re all going to prison!’
That is hilarious.
I am the caller and mastermind behind the MGM hack, i’m untouchable and RIU nobody can get me
blood council fags making it all about them again begging for recognition xD clowns
true they are cringe they dont even hack
my friends and i hack tho
i also was friends with operator
until he betrayed me
extorted me and stole my money
i still feel vulnerable
operator was one of the key figures in blood council, him and raven used to call bpo’s
free my niggas
i just want to say that this article is cringe, what can you realistically do about us? nothing, give up, fbi give up, we are untouchable, please refer to this clip https://youtu.be/2tA4HSgTY8o, im feeling like a kid on a block while hacking companies, you can be mad as fuck but at the end of the day you are the virgin, i get girls, i can fame, you can pray on my downfall, but instead you should join us and stop snitching to the feds
Hey.
RRC Admin Shane Lemur here, just sending this comment in agreeance with Convict 764 above me.
This is absolutely true, I have all the intel in the world, and all the IA you could ever imagine.
Please don’t let my fantasies of my non-existent 6 figures deter you from catching me.
I breached several childrens hospitals, and I still argue about hacking in the Telegram groupchat, @rrcrevived.
Kind regards.
why is convict from Valhalla who’s been hacking children hospitals covering up for himself under other peoples names? it’s so obvious that’s you, you will get arrested for hacking and extorting with Intel broker and operator
why didnt krebs mention how operator extorted me in real life and made me live with him? im still traumatized and im only 15, him and his friends including but not limited to reiko, convict, riu, soldier of christ (hibari/comfy) used to make me go on cam for them and do weird things why do you always cover up for criminals just to make your articles focus only on hacking aspect while they extort
nobody forced u to do anything @Penguinclubcashouts on tele if anyone sees this comment check the channel shes lit just deranged btw stop larping as asian ur romanian
this comment was made by one of operator’s friends javin kyrie kaleb oz he forced me to say things on video telling me to say *I’m gonna rape my boyfriend* and used it against me
go ask thala’s daddy if his feather wallet sitting comfy at 8000 XMR is worth the intravenous diamorphine
i came here because i thought scrizon was under investigation… wheres was that said in this article? dude is probably a part of interpol anyways just kicking back smoking a blunt and collecting txids & user data from his service
reiko hardline is looking for you, please head to the principles office