Full Report
Thalha Jubair and Owen Flowers led and directed many attacks attributed to the hacker subset of The Com. U.S. authorities previously accused Jubair of participating in at least 120 attacks. The post Leading members of Scattered Spider sentenced in UK to 66 months in jail appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
* **Actor Name:** Scattered Spider
* **Known Aliases:** UNC3944, Starfraud, Roasted 0ktapus (associated with "The Com")
* **Identity:** Key leaders identified as **Thalha Jubair** (20) and **Owen Flowers** (18). Jubair is described as a "core member of the unbound collective" and one of the four principal individuals associated with the group.
* **Associations:** A subset of **"The Com,"** a nebulous community of cybercriminals involved in extortion and violence.
## Activity Summary
* **TfL Attack (2024):** A major cyberattack on Transport for London that brought operations to a standstill.
* **U.S. Federal Court System (2025):** Attributed to Jubair in January 2025.
* **Extortion Campaigns:** Jubair was accused of participating in at least 120 attacks, specifically extorting 47 U.S.-based organizations.
* **Ransomware/Extortion (2023):** Success in extorting two financial services firms for $25 million and $36.2 million in Bitcoin.
## Tactics, Techniques & Procedures
* **Social Engineering:** Heavily reliant on manipulating individuals to gain access.
* **SIM-Swapping:** Used to bypass multi-factor authentication (MFA) and hijack accounts.
* **Data Extortion:** Stealing sensitive data and threatening release to compel payment.
* **Financial Laundering:** Use of Bitcoin addresses and private servers to manage approximately $89.5 million in illicit cryptocurrency.
* **Infrastructure:** Reinvestment of victim payments back into the criminal enterprise to improve capabilities.
## Targeting
* **Sectors:**
* Critical Infrastructure (Transportation)
* Financial Services
* Government (Federal Court System)
* Healthcare (SSM Health Care Corporation, Sutter Health)
* **Geography:** Primarily targeting the **United Kingdom** and the **United States**.
* **Victims:** Transport for London (TfL), Sutter Health, SSM Health Care Corporation.
## Tools & Infrastructure
* **Malware:** Though specific families aren't named in this text, the group is known for persistent infiltration and damaging network systems.
* **Infrastructure:** Controlled Bitcoin addresses and private servers; utilizes the "Scattered Spider" brand as a franchise-like model for other criminals.
## Implications
Scattered Spider represents a highly capable, financially motivated threat stemming from "The Com" ecosystem. Their ability to disrupt critical infrastructure (TfL) and penetrate high-security government targets (U.S. Courts) demonstrates a significant risk to national security and economic stability. While key leaders were sentenced to 66 months, the "Scattered Spider" brand persists, and experts suggest the group’s decentralized nature and high-profit margins make it a resilient threat.
## Mitigations
* **Phishing/Social Engineering Defense:** Implement robust training and move away from telephony-based MFA (SMS) to hardware security keys to prevent SIM-swapping.
* **Access Management:** Strict monitoring of credential use and unusual logins, especially those targeting identity providers.
* **Network Segmentation:** To prevent lateral movement following an initial social engineering breach.
* **Incident Response:** Establish playbooks specifically for data extortion scenarios where encryption may not be the primary goal.