The U.S. Department of Justice unsealed federal charges on Thursday against British teenager Thalha Jubair. Prosecutors accuse the 19-year-old of involvement in at least 120 cyberattacks, including one targeting the U.S. Courts system, and the extortion of dozens of American companies.
Jubair was arrested on Tuesday at his home in East London according to a statement by the National Crime Agency. He appeared in court in London on Thursday morning alongside another teenager, 18-year-old Owen Flowers. Both are accused of involvement in a 2024 cyberattack that targeted Transport for London, the government body overseeing the city’s public transit system. The attack resulted in a data breach and a recovery effort that lasted for months. The National Crime Agency stated the hack on the transit system’s IT network was attributed to the Scattered Spider hacking group. Both defendants were taken into custody to appear in court at a later date.
Scattered Spider is an English-speaking group of financially motivated cybercriminals, mostly teenagers and young adults. They are sometimes called “advanced persistent teenagers” due to their skilled and repeated cyberattacks. These hackers are known for breaching large numbers of companies using relatively simple social engineering techniques. A common method involves calling a company’s IT helpdesk and pretending to be an employee who forgot a password and needs a new one. The group is also known for its involvement with other hackers through a nebulous cyber collective called “the Com,” which refers to a cybercrime community that sometimes crosses into the real world with physical threats and violence, including swatting.
In a separate set of federal charges filed in New Jersey, U.S. prosecutors stated Jubair faces computer hacking, extortion, and money laundering charges related to dozens of hacks. These attacks saw corporate victims pay over $115 million in ransom payments. According to the FBI’s criminal complaint, servers believed to be run by Jubair were seized in July 2024. Evidence on those servers allegedly showed Jubair was involved in hacks of at least 120 companies, including 47 based in the United States.
Prosecutors say Jubair used social engineering techniques to break into company networks to steal internal data, encrypt the victim’s servers, and then extort the victims into paying to unlock the files. One of the victim companies was a critical infrastructure company based in New Jersey. The FBI found evidence on one server of more than a gigabyte of data stolen from that company, as well as browsing history showing logins to its servers.
Another breach the FBI allegedly connected to Jubair involved access to the U.S. Courts system. In January 2025, Jubair and other hackers reportedly contacted the U.S. Courts’ helpdesk to gain access to three user accounts, including one belonging to a federal magistrate judge. The goal was to search for information related to “Scattered Spider.” The hackers also used a hacked account to submit an emergency information disclosure request for customer information to an unnamed financial services provider. This is a common tactic used to trick companies into turning over user information in response to what they believe is a legitimate legal request. The FBI stated Jubair’s seized server was used to conduct searches related to the U.S. Courts hack and to send the emergency request.
It was previously reported that Scattered Spider hackers broke into the U.S. Courts system to search for information about themselves, including the sealed indictment of one now-convicted member, Noah Urban.
Jubair’s servers allegedly contained a cryptocurrency wallet storing around $36 million at the time it was seized, with much of it traceable to companies that paid ransoms. The FBI said Jubair transferred out approximately $8.4 million from the wallet as the FBI was taking control of the server.
It is not immediately clear if the Department of Justice has or will seek Jubair’s extradition. A DOJ spokesperson did not immediately comment.