Recent law enforcement actions in the U.K. are shedding light on Scattered Spider, an international cybercriminal organization that has been operational since 2022. This group has gained notoriety for its involvement in significant cyberattacks against high-profile targets, including Transport for London (TfL) and the cryptocurrency exchange Crypto.com, along with casino giants like MGM and Caesars.
During a recent operation, the National Crime Agency arrested two young individuals, Thalha Jubair and Owen Flowers, aged 18 and 19, respectively. They face charges related to a cyberattack on TfL, which reportedly resulted in substantial disruption and financial losses. As outlined in a complaint filed by the U.S. Department of Justice, Jubair is implicated in over 120 ransomware attacks affecting 47 U.S. entities.
The age profile of Scattered Spider’s members is particularly striking, as many of them are predominantly teenagers. Another member, Noah Urban, who operated as a “caller,” was just 19 at the time he successfully infiltrated Crypto.com’s systems. His technique involved gaining unauthorized access to sensitive information over the phone.
Recently, more information about the group’s activities has emerged, particularly surrounding the Crypto.com breach, which had not been publicly disclosed until now. In response to growing scrutiny, the CEO of Crypto.com, Kris Marszalek, firmly denied allegations that the company had concealed the incident, stating that such claims are entirely baseless.
Financially, Scattered Spider has proven to be highly lucrative. Between May 2022 and September 2025, the group extorted at least $115 million from American companies, according to the DOJ complaint. Other notable victims include high-profile organizations such as MoneyGram, Reddit, Coinbase, MailChimp, HubSpot, Cloudflare, and Activision. The casino industry has also felt the impact, especially with Caesars reportedly paying a ransom of $15 million to prevent the release of stolen login credentials.
The group has leveraged third-party ransomware, often procured from specialized Russian vendors, employing various strains such as RansomHub, Qilin, and DragonForce. These strains are distributed under a “ransomware-as-a-service” model, in which malware developers receive rental fees or a share of any ransom payments.
As the crackdown on Scattered Spider intensifies, the extent and audacity of their exploits highlight an alarming trend in cybercrime, particularly among younger individuals who are increasingly becoming involved in sophisticated hacking operations.
