DOJ: Scattered Spider took $115 million in ransoms, breached a US court system

A Justice Department complaint unsealed this week revealed that the Scattered Spider cybercriminal operation was able to extort at least $115 million from dozens of victims over the last three years and also breached a U.S. federal court network. 

U.K. national Thalha Jubair, 19, was arrested in London on Thursday and was concurrently charged by U.S. prosecutors with conspiracies to commit computer fraud, wire fraud and money laundering. U.S.  prosecutors said Jubair and his co-conspirators were responsible for at least 120 cyberattacks that included 47 U.S. entities.

In total, victims paid at least $115 million in ransom payments to Jubair and others, prosecutors said. The FBI traced payments, stolen data and hacking tools to specific servers owned and registered to Jubair. 

The Justice Department said Jubair and others operated from May 2022 until this month, and the complaint centers on cyberattacks targeting seven victim companies as well as personnel data and other information within the network of the United States Courts.  

The complaint lists several victims who paid exorbitant ransoms — including two incidents where organizations paid him $25 million and $36.2 million respectively. 

Nearly all of the attacks carried the hallmarks of tried-and-true Scattered Spider tactics: The hackers called the help desk, asked for a password reset, took over an administrative account and then used their access to steal data before encrypting critical systems.

“These malicious attacks caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, highlighting the significant and growing threat posed by brazen cybercriminals,” said acting Assistant Attorney General Matthew Galeotti.

If convicted, Jubair faces up to 95 years in U.S. prison. The DOJ did not respond to requests for comment about the status of extradition efforts. 

Searching for subpoenas

The attack on the United States Courts’ network started when Jubair allegedly called the court system helpdesk on January 8 asking for a password reset, prosecutors said. 

Once inside the court network, Jubair and others took over two accounts and stole information on court personnel including names, usernames and telephone numbers, prosecutors said. 

Jubair later allegedly accessed the accounts of three other people including a federal judge and searched the inbox of the judge for any subpoenas on themselves as well as “Scattered Spider.” 

“The evidence further revealed that the Conspirators also attempted to gain access to another federal magistrate judge’s account, associated with a judge who had presided over a matter involving a Conspirator,” prosecutors wrote. 

“In addition, the Conspirators, using one of the compromised accounts, sent at least one communication to a financial services provider requesting the emergency disclosure of customer account information.” 

Investigators used Jubair’s alleged browser history as evidence, saying that one of his servers was used to perform password resets for U.S. Courts accounts and to sign into those compromised accounts. 

The server also was allegedly used to download data stolen from the U.S. Courts network and perform internet searches on some of the victims. 

The stolen data on the server includes files containing thousands of names, titles, and work locations of U.S. Courts users, prosecutors said.

Food deliveries and gaming accounts

Law enforcement agencies said they were able to tie the servers to Jubair through a number of different methods, including Telegram handles, food deliveries and gaming purchases.

In July 2024, U.S. officials seized one of the servers allegedly controlled by Jubair and the cryptocurrency wallet hosted on it, finding assets worth $36 million in the wallet. Analysts were able to trace the payment back to one of the victims listed in the complaint, and they found evidence that before the raid, Jubair transferred some of the funds to other cryptocurrency wallets, prosecutors said. 

Law enforcement agencies also found multiple Telegram accounts allegedly tied to Jubair, including handles with the names “Brad,” “autistic” and “EarthtoStar.” In conversations with another co-conspirator, Jubair discussed cyberattacks involving about 40 companies, prosecutors said. 

Several of the conversations obtained through Telegram allegedly show Jubair and others discussing ransom payments and how they would split the funds. 

One of Telegram accounts was accessed by an IP address that was also used to log into a gaming account registered to Jubair at his home, authorities said. Some of the Telegram conversations, including one about Jubair’s birthday, also provided evidence on his identity and where he was located, prosecutors said. One of his co-conspirators is located in the U.S., the DOJ said.

Jubair was tied to the servers and the cryptocurrency accounts because at least one crypto wallet was used to purchase two gift cards that were then used at a food delivery company. Law enforcement contacted the food delivery company about the cards and was provided information indicating they were used for a delivery on May 13, 2024, to Jubair’s apartment complex, prosecutors said. 

Other cryptocurrency in the wallet was allegedly used to purchase more gift cards in 2023 that were used for accounts on gaming platforms. The gaming accounts were accessed using an account registered to Jubair, prosecutors said. 

Law enforcement also interviewed someone who tied Jubair to one of his Telegram accounts and picked his photo out of a lineup, authorities said. 

FBI Assistant Director Brett Leatherman said in a statement that the bureau worked with the U.K.’s National Crime Agency, the West Midlands Police and the City of London Police on the investigation alongside agencies in Canada, Romania, Australia and the Netherlands. 

Jubair appeared in Westminster Magistrates Court on Thursday afternoon alongside another teen, 18-year-old Owen Flowers, under accusations that they were responsible for a cyberattack on the Transport for London agency last year. 

Members of the group previously took credit for devastating campaigns targeting giants in the insurance, retail and aviation industries. 

Last week, alleged members of the Scattered Spider cybercriminal group shuttered a Telegram channel they used to boast of attacks — with several members making tacit references to a recent string of arrests, law enforcement activity and criminal convictions against members as their reason for ceasing the current operation.