June 23, 2026

Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-week trial.

Owen Flowers (left) 18, and Thalha Jubair, 20. Image: UK National Crime Agency (NCA).

Thalha Jubair, 20, of East London and 18-year-old Owen Flowers of Walsall admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. According to a report from the BBC, Flowers alone admitted to being part of a conspiracy to hack into U.S. based healthcare providers SSM Health Care Corporation and Sutter Health in September 2024.

Jubair is also wanted by U.S. law enforcement agencies. In September 2025, prosecutors in New Jersey unsealed an indictment alleging Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025, and that the group’s victims paid at least $115 million in ransom payments.

In July 2025, KrebsOnSecurity reported that Flowers and Jubair were arrested in the United Kingdom in connection with Scattered Spider ransom attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. Multiple sources familiar with those investigations said Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.

According to prosecutors, Jubair co-ran a bustling Telegram channel called Star Chat, the home of a SIM-swapping group that used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K. The group would then use that access to sell a service that could redirect a target’s phone number to a device the attackers controlled and intercept the victim’s calls and text messages (including one-time codes for multi-factor authentication).

A receipt from Star Fraud Chat’s SIM-swapping service targeting a T-Mobile customer after the group gained access to internal T-Mobile employee tools. “Rocket Ace” was one of Jubair’s hacker handles, according to U.S. prosecutors.

New Jersey prosecutors also allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single sign-on credentials from employees at hundreds of companies. That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPassDoorDashMailchimpPlex and Signal.

KrebsOnSecurity reported last year that one of Jubair’s alter egos at age 15 was “Everlynn,” a hacker who sold fraudulent “emergency data requests” that used compromised police and government email addresses to demand subscriber data (e.g. username, IP/email address) from major tech companies, claiming the requests concerned urgent matters of life and death and could not wait for a court order.

In April 2026, 24-year-old British national and Scattered Spider member Tyler “Tylerb” Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft for participating in the group’s SMS phishing spree in the summer of 2022. The government said Buchanan, Jubair and others used the credentials harvested in that phishing campaign to steal at least $8 million in cryptocurrency from victims throughout the United States. Buchanan is currently scheduled to be sentenced on October 2.

In August 2025, 20-year-old Scattered Spider member from Florida named Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution, after pleading guilty to charges of wire fraud and conspiracy.

The U.S. Department of Justice says three alleged Scattered Spider defendants indicted along with Buchanan still face charges, including Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina.

Flowers and Jubair are slated to be sentenced in a London court on July 15, 2026.


34 thoughts on “Scattered Spider Hackers Plead Guilty on Day 1 of Trial

    1. Robert Keogh

      They will serve some time and get a great job working at a GCHQ cut out org via the The “Cyber Choices” Program, if not there then some big cyber security company will hire them, its a bit like Better Call Saul, the best criminal lawyers are criminals!

      Reply
      1. O.K.

        Why is it that pretty much every time cyber crooks are punished, someone will chime in and claim they will get a cushy job some letter agency or security consultancy?
        To be hired you need the right skill set. And much more importantly: you need to be deemed trustworthy. That rules out pretty much any job that requires clearance, because for some crazy reason, most gov’t agencies do not consider ex-cons trustworthy.
        Nobody’s going to bust out a couple of shameless, reckless social engineering guys. It’s really not like these guys are misunderstood geniuses who were too curious for their own good.

        Reply
          1. mealy

            Those examples are seemingly the exceptions that prove the rule valid, re “Nobody’s going to bust out a couple of shameless, reckless social engineering guys.”

            Reply
  1. ReadandShare

    Smart young adults potentially throwing their future away. Sigh…

    Reply
    1. Maurice Kaplan

      A friend of my nephew is a 23 year old guy with obvious talent who seems to be uninterested in a job.

      I think he wants me to retire and has the idea that he can take my job. However, he has neither the knowledge nor the temperament to do the job. He’s too much of a hothead and thinks that he knows absolutely everything about everything, especially computers and electronics.

      For example, when he first came to town, he was helping my nephew run a cable in someone’s house. They ran three cables and couldn’t get any of the runs to work. He claimed the cable was rotten, that the connectors were bad, and that the cable tool was broken. There was nothing wrong with any of that — the issue is with his own arrogant belief that nothing is ever his fault.

      He is not my employee — he has too many red flags for me to consider him for a job.

      Reply
  2. Sacha

    While it is difficult to trace many spammers and scammers through the cyberlabyrinth of the WWW, it is heartening to see that over time, more of these lost souls are being caught.

    The sad thing is that so many of them are still kids. The question of what their parents must think makes me wonder if they were even present at all. Parenting usually involves some kind of monitoring to see what your kid is doing online for so long before they get to the age these doofuses are at, where they inevitably make some kind of mistake and get caught. They are old enough now to know better… and to face the consequences as well.

    Reply
    1. BigP

      …parents just need to tell their kids “don’t be a f***ing thief!”. Say it enough times and they’ll get it. Teach the basics of morality.

      Reply
  3. Backlot Blues

    Hello, Brian:

    If I recall, you said that Scattered Spider has a robust, large recruiting base. From what I remember, less than a dozen of them have been apprehended, and most of them were not high-level members, although from what I can garner from your site and a few others, the Vegas ransomings were particularly treacherous.

    Do you have any idea what the current rough count is of active members, according to the threat researchers? I am guessing most of its ersatz members don’t know much about any of the others so I doubt previous models to round em all up would work.

    The catch all name seems kind of deceptive, especially to C-level types who don’t even get they can be ransomed months later by other people that most reporters and companies might call the same group. Are they really?

    Thanks.

    Reply
  4. Nils Whyte

    I don’t think the courts and laws have caught up with what should be more severe penalties for cyber crimes; they don’t quite get the blast radius of the infractions. Kids on the street stealing far far less and effecting almost no one, often get much harsher sentences in comparison.

    Reply
  5. Some guy

    They are more connected than people think. Just like the jellyfish-like drone swarms. I wouldn’t be so quick to assume they aren’t mutually aware, like some effed up MUFON.

    Hacking sure wasn’t like that fifteen years ago.

    And wouldn’t you know it they wanted fictional time machines then also.

    Reply
  6. James KC

    “Throwing their lives away” to be future security consultants when they do their face turn.

    Reply
    1. some guy

      Nah, the world doesn’t work like that usually anymore, and there are plenty of folks straddling that line that didn’t get caught left to hire. Assuming there is even an equivalent skill set in demand five, eight, ten, whatever years from now. Not saying they can’t have a life after sentencing, just that the time of the convicted felon wunderkind with a future in a field demanding trust, as a given, is long gone.

      Reply
  7. anon

    The TFL hack started on 31st August, and Flowers was arrested for it on 6th September. So clearly no opsec skills. They had to plead guilty as the evidence included videos and screenshots that these idiots had saved to their own personal devices.

    Reply
    1. Clucker McCluckerton

      Man, it’ll be interesting to see what kind of time these two Meduza reporters are gonna get (and if the Puzata Hata will accept their non-activated American gift cards with zero balances for their spring salad and pelmini back when everyone was playing soccer in Kiev).

      Reply
    2. Martindale Hubbell

      Did they do any preparatory work for the TFH hack or was it unplanned? Surely this would affect their downward departure calculation.

      Reply
  8. TechGuy

    I always wonder what role the parents play in having teenagers who engage in this criminal activity. These kids reap huge financial rewards – don’t the parents see that? Are they really that clueless? Perhaps they should share some of the responsibility for all the harm their child causes others.

    Juvenile computer crime and hacking recidivism rates aren’t generally tracked so I also wonder how many commit post-incarceration crimes.

    Reply
  9. Fred Trump

    These two upstanding citizens have a bright future in the Trump organization, Big-Balls better watch out for these two. And I don’t see them being on many dates with girls either, but getting beat up by girls yes 😉

    Reply
    1. Spiffy

      Shouldn’t this sort of post be on something like t4r4ñt3lla.onion or something, not this site?

      Reply
  10. Wesito

    So these young fellas are part & parcel of stealing north of 100 million dollars, but they can’t afford to hire a hotshot legal team? Where did the money go?

    Or was their opsec so horrendous that their lawyers told them throwing themselves on the mercy of the court is the only viable path?

    Reply
    1. BooBoo Witch

      As some stranger I do not know but whose words I probably read online somewhere at some point most likely said, try as you might to steal as much as you might like, without a certain amount of dough you’ll have an almost impossible time laundering it or accessing it.

      Which is probably why the majority of crime thriller novels, snazzy crime-oriented tv shows and stylish heist movies do not seem to be representative of real life crime.

      All the really really bad crime is committed by transnational corporations, and people with long-standing crooked relationships with international sketchy folks like the Biden family, hoping to tie up the resources of federal investigators with cases like this as much as they can.

      Once you see a few cases like those (and they rarely come into the light, no less see prosecution as much as you would think), cases like these sort of make you feel bad for kids like this, regardless of the chaos they seem to cause. Turtles in both directions.

      Reply
  11. Mark Spencer

    Pair of mongs. Look like they’d have trouble making friends in real life.

    Reply
  12. Harmless

    Feel it is important to mention this “talented hacker” owner flowers also went by Bo764 and was a little freakzoid who extorted little girls

    Reply
    1. Ququbarra

      I mean thinking about it in terms of gross damage caused (and no one said anything about friendships; this is merely logic), these two at least weren’t training thousands to copy their exploitative actions (unlike the tens of thousands of crypto scammers out there shilling things and making money doing PAD, while the guileless, clueless people that were taken advantage of by their ransoming ways don’t realize, maybe ever, they’ve been screwed over not just once but in four ways, and it’ll last a lifetime.)

      Lots of Yugoslavians were billionaires in 1994 though that wouldn’t even buy an order of chevapi.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *