In a report initially published by Flashpoint late last month, the United States charged 19-year-old UK national Thalha Jubair, who allegedly participated in 120 network intrusions, including targeting 47 U.S. entities, as part of "Scattered Spider."
The charges mention specific targets, such as U.S. critical infrastructure companies and the federal court system. Jubair allegedly used social engineering to gain unauthorized access into computer networks, steal and encrypt data, and demand ransom payments totaling $115 million.
On the same day, UK authorities filed their own charges and arrested Jubair and another alleged Scattered Spider member, 18-year-old Owen Flowers, claiming they were involved in a cyberattack on Transport for London (TfL) in August 2024.
Jubair used the aliases "EarthtoStar," "Earth2Star," "Brad," "Austin," "@autistic," "miku," "Everlynn," and "StarAce." They also used the alias "Operator" as Doxbin admin. In May 2025, analysts reported on allegations that Operator was part of Scattered Spider (tracked by Google as UNC3944) and associated with multiple ransomware attacks.
Just as a refresher, Scattered Spider has been attached to attacks against manufacturers that include Clorox and Jaguar Land Rover. The group, which consists of hundreds of de-centralized participants, has also been known as Octo Tempest, Oktapus, Muddled Libra, UNC3944 and UNC6040.
According to Flash Point, Scattered Spider adopts a wave approach, where they choose a particular industry, and then attack as many organizations as possible operating within that sector over a short period. Industries are likely chosen based on perceived profitability or ease of social engineering. While this campaign style is not unique to threat actors, it is a distinct feature of this group’s operations. They favor large enterprises for greater impact and ransom leverage.
The group continues to be a leading threat actor confronting the manufacturing sector. Their formula for disrupting or shutting down production and extorting a ransom in exchange for restoring operations has proven extremely successful, with most simply paying the ransom in order to resume operations.
The Cybersecurity and Infrastructure Security Agency (CISA) offers more information about the group here.
