Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency.
Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses on Tuesday, the National Crime Agency (NCA) said. They are 19 and 18, respectively.
It’s worth noting that Flowers was initially arrested for his alleged involvement in the TfL attack in September 2024, but was subsequently released on bail. The agency said it found evidence of Flowers targeting U.S. healthcare companies, and that he has also been charged with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and Sutter Health.
Jubair has also been charged under the Regulation of Investigatory Powers Act (RIPA) 2000 for failing to surrender PINs and passwords for devices seized by law enforcement from him on March 19, 2025.
“This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure,” Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said. “Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the U.K. and other English-speaking countries, of which Scattered Spider is a clear example.”
In tandem, the U.S. Department of Justice (DoJ) unsealed a complaint charging Jubair with conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extorting 47 U.S. entities from May 2022 to September 2025.
These attacks involved the use of social engineering techniques to gain unauthorized access to the target networks, and then leveraging that access to steal and encrypt information, and demand ransom from victims in return for regaining control and preventing the leak of the exfiltrated data.
According to the complaint, victims paid at least $115,000,000 in ransom payments. The incidents, the DoJ added, caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, in October 2024 and January 2025.
In July 2024, the DoJ said law enforcement seized cryptocurrency wallets on a server allegedly controlled by Jubair and confiscated digital assets worth about $36 million at the time. Jubair is also said to have transferred a portion of the proceeds that originated from one of the victims, worth about $8.4 million at the time, to another wallet.
Jubair has been charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison.
“Jubair went to great and sophisticated lengths to keep himself anonymous while he and his criminal associates continued to attack these victims and extort tens of millions of dollars in ransom payments,” said Alina Habba, Acting U.S. Attorney and Special Attorney for the District of New Jersey.
