Feds Tie Scattered Spider Duo to 115M in Ransoms Krebs on Security
pUS prosecutors last week levied criminal hacking charges against 19yearold UK national Thalha Jubair for allegedly being a core member of Scattered Spider a prolific cybercrime group blamed for extorting at least 115 million in ransom payments from victims The charges came as Jubair and an alleged coconspirator appeared in a London court to face accusations of hacking into and extorting several large UK retailers the London transit system and healthcare providers in the United StatesppAt a court hearing last week UK prosecutors laid out a litany of charges against Jubair and 18yearold Owen Flowers accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London the entity responsible for the public transport network in the Greater London areappA court artist sketch of Owen Flowers left and Thalha Jubair appearing at Westminster Magistrates Court last week Credit Elizabeth Cook PA WireppOn July 10 2025 KrebsOnSecurity reported that Flowers and Jubair had been arrested in the United Kingdom in connection with recent Scattered Spider ransom attacks against the retailers Marks Spencer and Harrods and the British food retailer Coop GroupppThat story cited sources close to the investigation saying Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the groups September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars EntertainmentppThe story also noted that Jubairs alleged handles on cybercrimefocused Telegram channels had far lengthier rap sheets involving some of the more consequential and headlinegrabbing data breaches over the past four years What follows is an account of cybercrime activities that prosecutors have attributed to Jubairs alleged hacker handles as told by those accounts in posts to public Telegram channels that are closely monitored by multiple cyber intelligence firmsppJubair is alleged to have been a core member of the LAPSUS cybercrime group that broke into dozens of technology companies beginning in late 2021 stealing source code and other internal data from tech giants including Microsoft Nvidia Okta Rockstar Games Samsung TMobile and UberppThat is according to the former leader of the nowdefunct LAPSUS In April 2022 KrebsOnSecurity published internal chat records taken from a server that LAPSUS used and those chats indicate Jubair was working with the group using the nicknames Amtrak and Asyntax In the middle of the gangs cybercrime spree Asyntax told the LAPSUS leader not to share TMobiles logo in images sent to the group because hed been previously busted for SIMswapping and his parents would suspect he was back at it againppThe leader of LAPSUS responded by gleefully posting Asyntaxs real name phone number and other hacker handles into a public chat room on TelegramppIn March 2022 the leader of the LAPSUS data extortion group exposed Thalha Jubairs name and hacker handles in a public chat room on TelegramppThat story about the leaked LAPSUS chats also connected AmtrakAsyntax to several previous hacker identities including Everlynn who in April 2021 began offering a cybercriminal service that sold fraudulent emergency data requests targeting the major social media and email providersppIn these socalled fake EDR schemes the hackers compromise email accounts tied to police departments and government agencies and then send unauthorized demands for subscriber data eg username IPemail address while claiming the information being requested cant wait for a court order because it relates to an urgent matter of life and deathppThe roster of the nowdefunct Infinity Recursion hacking team which sold fake EDRs between 2021 and 2022 The founder Everlynn has been tied to Jubair The member listed as Peter became the leader of LAPSUS who would later post Jubairs name phone number and hacker handles into LAPSUSs chat channelppppProsecutors in New Jersey last week alleged Jubair was part of a threat group variously known as Scattered Spider 0ktapus and UNC3944 and that he used the nicknames EarthtoStar Brad Austin and AustisticppBeginning in 2022 EarthtoStar coran a bustling Telegram channel called Star Chat which was home to a prolific SIMswapping group that relentlessly used voice and SMSbased phishing attacks to steal credentials from employees at the major wireless providers in the US and UKppJubair allegedly used the handle Earth2Star a core member of a prolific SIMswapping group operating in 2022 This ad produced by the group lists various prices for SIM swapsppThe group would then use that access to sell a SIMswapping service that could redirect a targets phone number to a device the attackers controlled allowing them to intercept the victims phone calls and text messages including onetime codes Members of Star Chat targeted multiple wireless carriers with SIMswapping attacks but they focused mainly on phishing TMobile employeesppIn February 2023 KrebsOnSecurity scrutinized more than seven months of these SIMswapping solicitations on Star Chat which almost daily peppered the public channel with Tmo up and Tmo down notices indicating periods wherein the group claimed to have active access to TMobiles networkppA redacted receipt from Star Chats SIMswapping service targeting a TMobile customer after the group gained access to internal TMobile employee toolsppThe data showed that Star Chat along with two other SIMswapping groups operating at the same time collectively broke into TMobile over a hundred times in the last seven months of 2022 However Star Chat was by far the most prolific of the three responsible for at least 70 of those incidentsppThe 104 days in the latter half of 2022 in which different known SIMswapping groups claimed access to TMobile employee tools Star Chat was responsible for a majority of these incidents Image krebsonsecuritycomppA review of EarthtoStars messages on Star Chat as indexed by the threat intelligence firm Flashpoint shows this person also sold ATT email resets and ATT call forwarding services for up to 1200 per line EarthtoStar explained the purpose of this service in post on TelegramppOk people are confused so you know when u login to chase and it says 2fa required or whatever the fuck well it gives you two options SMS or Call If you press call and I forward the line to you then who do you think will get said callppNew Jersey prosecutors allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single signon credentials from employees at hundreds of companies The text messages asked users to click a link and log in at a phishing page that mimicked their employers Okta authentication page saying recipients needed to review pending changes to their upcoming work schedulesppThe phishing websites used a Telegram instant message bot to forward any submitted credentials in realtime allowing the attackers to use the phished username password and onetime code to log in as that employee at the real employer websiteppThat weekslong SMS phishing campaign led to intrusions and data thefts at more than 130 organizations including LastPass DoorDash Mailchimp Plex and SignalppA visual depiction of the attacks by the SMS phishing group known as 0ktapus ScatterSwine and Scattered Spider Image Amitai Cohen twittercomamitaicoppEarthtoStars group Star Chat specialized in phishing their way into business process outsourcing BPO companies that provide customer support for a range of multinational companies including a number of the worlds largest telecommunications providers In May 2022 EarthtoStar posted to the Telegram channel FrauwudchatppHi I am looking for partners in order to exfiltrate data from large telecommunications companiescall centersalike I have major experience in this field including a massive call center which houses 200000 employees where I have dumped all user credentials and gained access to the domain controller obtained global administrator I also have experience with REST APIs and programming I have extensive experience with VPN Citrix cisco anyconnect social engineering privilege escalation If you have any CitrixCisco VPN or any other useful things please message me and lets workppAt around the same time in the Summer of 2022 at least two different accounts tied to Star Chat RocketAce and Lopiu introduced the groups services to denizens of the Russianlanguage cybercrime forum Exploit includingppSIMswapping services targeting Verizon and TMobile customers
Dynamic phishing pages targeting customers of single signon providers like Okta
Malware development services
The sale of extended validation EV code signing certificatesppThe user Lopiu on the Russian cybercrime forum Exploit advertised many of the same unique services offered by EarthtoStar and other Star Chat members Image source kelacomppThese two accounts on Exploit created multiple sales threads in which they claimed administrative access to US telecommunications providers and asked other Exploit members for help in monetizing that access In June 2022 RocketAce which appears to have been just one of EarthtoStars many aliases posted to ExploitppHello I have access to a telecommunications companys citrix and vpn I would like someone to help me break out of the system and potentially attack the domain controller so all logins can be extracted we can discuss payment and things leave your telegram in the comments or private message me Looking for someone with knowledge in citrixprivilege escalationppOn Nov 15 2022 EarthtoStar posted to their Star Sanctuary Telegram channel that they were hiring malware developers with a minimum of three years of experience and the ability to develop rootkits backdoors and malware loadersppOptional Endorsed by advanced APT Groups eg Conti Ryuk the ad concluded referencing two of Russias most rapacious and destructive ransomware affiliate operations Part of a nationstate ex3l 3 letteragencyppThe Telegram and Discord chat channels wherein Flowers and Jubair allegedly planned and executed their extortion attacks are part of a looseknit network known as the Com an Englishspeaking cybercrime community consisting mostly of individuals living in the United States the United Kingdom Canada and AustraliappMany of these Com chat servers have hundreds to thousands of members each and some of the more interesting solicitations on these communities are job offers for inperson assignments and tasks that can be found if one searches for posts titled If you live near or IRL job short for in real life jobppThese violenceasaservice solicitations typically involve brickings where someone is hired to toss a brick through the window at a specified address Other IRL jobs for hire include tirestabbings molotov cocktail hurlings driveby shootings and even home invasions The people targeted by these services are typically other criminals within the community but its not unusual to see Com members asking others for help in harassing or intimidating security researchers and even the very law enforcement officers who are investigating their alleged crimesppIt remains unclear what precipitated this incident or what followed directly after but on January 13 2023 a Star Sanctuary account used by EarthtoStar solicited the home invasion of a sitting US federal prosecutor from New York That post included a photo of the prosecutor taken from the Justice Departments website along with the messageppNeed irl niggas in home hostage shit no fucking pussies no skinny glock holding 100 pound niggas eitherppThroughout late 2022 and early 2023 EarthtoStars alias Brad aka Bradbanned frequently advertised Star Chats malware development services including custom malicious software designed to hide the attackers presence on a victim machineppWe can develop KERNEL malware which will achieve persistence for a long time
bypass firewalls and have reverse shell accessppThis shit is literally like STAGE 4 CANCER FOR COMPUTERSppKernel meaning the highest level of authority on a machine
This can range to simple shells to BootkitsppBypass all major EDRs SentinelOne CrowdStrike etc
Patch EDRs scanning functionality so its rendered uselessppOnce implanted extremely difficult to remove basically impossible to even find
Development Experience of several years and in multiple APT GroupsppBe one step ahead of the game Prices start from 5000 Message bradbanned to get a quoteppIn September 2023 both MGM Resorts and Caesars Entertainment suffered ransomware attacks at the hands of a Russian ransomware affiliate program known as ALPHV and BlackCat Caesars reportedly paid a 15 million ransom in that incidentppWithin hours of MGM publicly acknowledging the 2023 breach members of Scattered Spider were claiming credit and telling reporters theyd broken in by social engineering a thirdparty IT vendor At a hearing in London last week UK prosecutors told the court Jubair was found in possession of more than 50 million in illgotten cryptocurrency including funds that were linked to the Las Vegas casino hacksppThe Star Chat channel was finally banned by Telegram on March 9 2025 But US prosecutors say Jubair and fellow Scattered Spider members continued their hacking phishing and extortion activities up until September 2025ppIn April 2025 the Com was buzzing about the publication of The Com Cast a lengthy screed detailing Jubairs alleged cybercriminal activities and nicknames over the years This account included photos and voice recordings allegedly of Jubair and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku these are both aliases used by Everlynn in connection with their fake EDR servicesppThalha Jubair right without his largerimmed glasses in an undated photo posted in The Com CastppMore recently the anonymous Com Cast authors claimed Jubair had used the nickname Operator which corresponds to a Com member who ran an automated Telegrambased doxing service that pulled consumer records from hacked data broker accounts That public outing came after Operator allegedly seized control over the Doxbin a longrunning and highly toxic community that is used to dox or post deeply personal information on peopleppOperatorClarkMiku A key member of the ransomware group Scattered Spider which consists of a diverse mix of individuals involved in SIM swapping and phishing the Com Cast account stated The group is an amalgamation of several key organizations including Infinity Recursion owned by Operator True Alcorians owned by earth2star and Lapsus which have come together to form a single collectiveppThe New Jersey complaint PDF alleges Jubair and other Scattered Spider members committed computer fraud wire fraud and money laundering in relation to at least 120 computer network intrusions involving 47 US entities between May 2022 and September 2025 The complaint alleges the groups victims paid at least 115 million in ransom paymentsppUS authorities say they traced some of those payments to Scattered Spider to an Internet server controlled by Jubair The complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards one of which was used at a food delivery company to send food to his apartment Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubairs name US prosecutors said that when they seized that server they also seized 36 million in cryptocurrencyppThe complaint also charges Jubair with involvement in a hacking incident in January 2025 against the US courts system that targeted a US magistrate judge overseeing a related Scattered Spider investigation That other investigation appears to have been the prosecution of Noah Michael Urban a 20yearold Florida man charged in November 2024 by prosecutors in Los Angeles as one of five alleged Scattered Spider membersppUrban pleaded guilty in April 2025 to wire fraud and conspiracy charges and in August he was sentenced to 10 years in federal prison Speaking with KrebsOnSecurity from jail after his sentencing Urban asserted that the judge gave him more time than prosecutors requested because he was mad that Scattered Spider hacked his email accountppNoah Kingbob Urban posting to TwitterX around the time of his sentencing on Aug 20ppA court transcript PDF from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody The judge told attorneys for both sides that a codefendant in the California case was trying to find out about Mr Urbans activity in the Florida case and that the hacker accessed the account by impersonating a judge over the phone and requesting a password resetppAllison Nixon is chief research officer at the New York based security firm Unit 221B and easily one of the worlds leading experts on Combased cybercrime activity Nixon said the core problem with legally prosecuting wellknown cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18 and thus difficult to charge under federal hacking statutesppIn the United States prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them But until that day comes she said Com actors often feel emboldened to continue committing and very often bragging about serious cybercrime offensesppHere we have a special category of Com offenders that effectively enjoy legal immunity Nixon told KrebsOnSecurity Most get recruited to Com groups when they are older but of those that join very young such as 12 or 13 they seem to be the most dangerous because at that age they have no grounding in reality and so much longevity before they exit their legal immunityppNixon said UK authorities face the same challenge when they briefly detain and search the homes of underage Com suspects Namely the teen suspects simply go right back to their respective cliques in the Com and start robbing and hurting people again the minute theyre releasedppIndeed the UK court heard from prosecutors last week that both Scattered Spider suspects were detained andor searched by local law enforcement on multiple occasions only to return to the Com less than 24 hours after being released each timeppWhat we see is these young Com members become vectors for perpetrators to commit enormously harmful acts and even child abuse Nixon said The members of this special category of people who enjoy legal immunity are meeting up with foreign nationals and conducting these sometimes heinous acts at their behestppNixon said many of these individuals have few friends in real life because they spend virtually all of their waking hours on Com channels and so their entire sense of identity community and selfworth gets wrapped up in their involvement with these online gangs She said if the law was such that prosecutors could treat these people commensurate with the amount of harm they cause society that would probably clear up a lot of this problemppIf law enforcement was allowed to keep them in jail they would quit reoffending she saidppThe Times of London reports that Flowers is facing three charges under the Computer Misuse Act two of conspiracy to commit an unauthorized act in relation to a computer causingcreating risk of serious damage to human welfarenational security and one of attempting to commit the same act Maximum sentences for these offenses can range from 14 years to life in prison depending on the impact of the crimeppJubair is reportedly facing two charges in the UK One of conspiracy to commit an unauthorized act in relation to a computer causingcreating risk of serious damage to human welfarenational security and one of failing to comply with a section 49 notice to disclose the key to protected informationppIn the United States Jubair is charged with computer fraud conspiracy two counts of computer fraud wire fraud conspiracy two counts of wire fraud and money laundering conspiracy If extradited to the US tried and convicted on all charges he faces a maximum penalty of 95 years in prisonppIn July 2025 the United Kingdom barred victims of hacking from paying ransoms to cybercriminal groups unless approved by officials UK organizations that are considered part of critical infrastructure reportedly will face a complete ban as will the entire public sector UK victims of a hack are now required to notify officials to better inform policymakers on the scale of Britains ransomware problemppFor further reading bless you check out Bloombergs poignant story last week based on a years worth of jailhouse interviews with convicted Scattered Spider member Noah Urbanpp
This entry was posted on Wednesday 24th of September 2025 0748 AM
ppNice article Krebsppseems next winamp or sonique skin is playing better feel our trauma winningsppvery rich nowppnow losing bucks near your phoneppPotential new members of DOGE Maybe theyll be tougher than Big Balls and not get beat up by a 15 year old girlppyou mean the ransomed people that Doge ousted the judges just reinstatedppawesome job lsat loserspplet us all discuss what Krebs pillow deservesppthats right lesha he told you we shouldnt do thatppfifteen year old girl which was apparently an over 18 year old leading every school of fish to a world of no utensils seemed aboot as fine now as then I guessppAnd you believed that Hmm are you interesting in purchasing a bridgeppbridge hope shut down and left in 2015 c0mradeppKrebs u begged for like 200 on a tele chat ur exact words nigga just give me like 200 to not publish information Shame on youppHrm That doesnt really sound like me You do realize that at any given time there are about 1015 cybercriminals using my nameppWasnt there a dark market named after you at some pointppdomo kun where is walking sim ukrainian sim card parent nowppIt strikes me that walking sim Ukrainian SIM card parents keep thinking I am the that and not the fuckers following people around with creepy posts all over the placeppi am gonna open one called paper cup market maybe itll be in time for my vine finale by fiona in 2016ppI remember a carding shop named after Krebs for a long timeppTheres a strong connection between these guys and extortingblackmailing people including seniors and young girls Im 100 sure this will be considered in their legal proceedings and they will definitely not be given an extremely light sentence and claim they really are autistic
Have faith in the justice system it worked so great for Arion after allppAlso mr Jubair apparently has even deeper history preCom
httpsxcomsoftfoxladstatus1692016287319208363
httpsxcomsoftfoxladstatus1968720051294335098ppWhat can be done about these people The UK courts are notoriously lenient to all crime not just cyber crime this
pair will just get a puny sentence and fine and be back on the job in no time at all DepressingppBloombergs poignant story has a paywallpparchivetoday is your friend bobpphttpsarchiveph4UmRnppseems like the next food us maureens need isnt comingppThe complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards one of which was used at a food delivery company to send food to his apartment Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubairs nameppIts hard being a scumbag Discipline requiredppyoutubecomwatchvA3gaXX6u2IppHow do we find the com cast documentaryppjust turn your tv on and given an appropriate amount of time and depending on your location itll come to youppKill them now What are the addresses of the prisons A contract can be drawn for them Where do their parents live Kill them now Decapitate them Now Do itppadd darkmode brianppyeah noone needs selfreferencing functionsppyou posted a minors personal info once again krebs the girl was underage in the picture gangppDont let looks fool you Jubair isnt actually a femaleppHats off to you Krebs because this is the best article youve ever made Incredible amount of research and thoroughness Good job ppWhy did you censor the image with Jubair and the girl is that his girlfriendppHe doesnt look at all like the court artist rendering I guess they were busy trying to find some more Matts for their wordleppIm reading the indictment right now and it looks like he was caught because the FBI had full access to his Windows VPS When they refer to Server1 and Server2 in the indictment they are referring to a Windows VPS Thats how they were able to seize 36 million USD from him And thats where he conducted all of his hacking activity from Using the Windows VPSppSo somewhere along the way the true IP address of his Windows VPS slipped The FBI then contacted the VPS provider asking for full access and then the FBI had full oversight over everything he was doing on the VPS That includes all of his Telegram chats accounts and Bitcoin wallets he was using on the VPS That includes seeing literally everything he was doing 247 logged and monitored by the FBI since 2022 all the way up until 2024 They were able to seize the 36 million in Bitcoin by literally just recording him typing his password in his Bitcoin wallet Then when he closed his computer or logged off they just withdrew itppNow I have 2 questionspp1 Why in the world would you hold 36 million USD in a remote controlled VPS And then use that same wallet to buy ubereats gift cardspp2 Why would you do all of your hacks on a VPS That seems like the dumbest trend ever Not only is everything logged but also even if it wasnt logged its impossible to avoid the real VPS IP slipping over a long enough period of time either due to a reboot or simply human errormistakes Not to mention the VPS owner can see what youre doing at all times Thats the equivalent of going at a public library and hacking from their computerppYo Brian ppWho named this groupppnigga means a male according to the girl who testified under oath she was Trayvon Martins girlfriendppThis is dialog with Piers Morgan after her testimonypp RJ The whole world say its a racist word Mind youmind you around
2000 that was not They changed it around started spelling NIG
GA Nigga
PM What does that mean to you thatthat way of spelling it What does
that word mean to you
RJ That mean a male
PM A black male
RJ No any kind of male
PM Black or white
RJ Bla any kindChinese could say nigga Thats my chino nigga They
could say thatppMeth does go stale yespplol I bet you say that to all the default files in your linux bootppThere are no default files in my linux boot check your asspphttpstailsnetppHeads I win tails you on methppHow the fuck do you go from playing Roblox Minecraft to serious cybercrime I dont get itppIf you dont know they were always one and the same you have a pretty rude awakening coming to you when your ransom arrivesppTheyre one and the same and they always wereppWhere can I find The Com CastppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
Dynamic phishing pages targeting customers of single signon providers like Okta
Malware development services
The sale of extended validation EV code signing certificatesppThe user Lopiu on the Russian cybercrime forum Exploit advertised many of the same unique services offered by EarthtoStar and other Star Chat members Image source kelacomppThese two accounts on Exploit created multiple sales threads in which they claimed administrative access to US telecommunications providers and asked other Exploit members for help in monetizing that access In June 2022 RocketAce which appears to have been just one of EarthtoStars many aliases posted to ExploitppHello I have access to a telecommunications companys citrix and vpn I would like someone to help me break out of the system and potentially attack the domain controller so all logins can be extracted we can discuss payment and things leave your telegram in the comments or private message me Looking for someone with knowledge in citrixprivilege escalationppOn Nov 15 2022 EarthtoStar posted to their Star Sanctuary Telegram channel that they were hiring malware developers with a minimum of three years of experience and the ability to develop rootkits backdoors and malware loadersppOptional Endorsed by advanced APT Groups eg Conti Ryuk the ad concluded referencing two of Russias most rapacious and destructive ransomware affiliate operations Part of a nationstate ex3l 3 letteragencyppThe Telegram and Discord chat channels wherein Flowers and Jubair allegedly planned and executed their extortion attacks are part of a looseknit network known as the Com an Englishspeaking cybercrime community consisting mostly of individuals living in the United States the United Kingdom Canada and AustraliappMany of these Com chat servers have hundreds to thousands of members each and some of the more interesting solicitations on these communities are job offers for inperson assignments and tasks that can be found if one searches for posts titled If you live near or IRL job short for in real life jobppThese violenceasaservice solicitations typically involve brickings where someone is hired to toss a brick through the window at a specified address Other IRL jobs for hire include tirestabbings molotov cocktail hurlings driveby shootings and even home invasions The people targeted by these services are typically other criminals within the community but its not unusual to see Com members asking others for help in harassing or intimidating security researchers and even the very law enforcement officers who are investigating their alleged crimesppIt remains unclear what precipitated this incident or what followed directly after but on January 13 2023 a Star Sanctuary account used by EarthtoStar solicited the home invasion of a sitting US federal prosecutor from New York That post included a photo of the prosecutor taken from the Justice Departments website along with the messageppNeed irl niggas in home hostage shit no fucking pussies no skinny glock holding 100 pound niggas eitherppThroughout late 2022 and early 2023 EarthtoStars alias Brad aka Bradbanned frequently advertised Star Chats malware development services including custom malicious software designed to hide the attackers presence on a victim machineppWe can develop KERNEL malware which will achieve persistence for a long time
bypass firewalls and have reverse shell accessppThis shit is literally like STAGE 4 CANCER FOR COMPUTERSppKernel meaning the highest level of authority on a machine
This can range to simple shells to BootkitsppBypass all major EDRs SentinelOne CrowdStrike etc
Patch EDRs scanning functionality so its rendered uselessppOnce implanted extremely difficult to remove basically impossible to even find
Development Experience of several years and in multiple APT GroupsppBe one step ahead of the game Prices start from 5000 Message bradbanned to get a quoteppIn September 2023 both MGM Resorts and Caesars Entertainment suffered ransomware attacks at the hands of a Russian ransomware affiliate program known as ALPHV and BlackCat Caesars reportedly paid a 15 million ransom in that incidentppWithin hours of MGM publicly acknowledging the 2023 breach members of Scattered Spider were claiming credit and telling reporters theyd broken in by social engineering a thirdparty IT vendor At a hearing in London last week UK prosecutors told the court Jubair was found in possession of more than 50 million in illgotten cryptocurrency including funds that were linked to the Las Vegas casino hacksppThe Star Chat channel was finally banned by Telegram on March 9 2025 But US prosecutors say Jubair and fellow Scattered Spider members continued their hacking phishing and extortion activities up until September 2025ppIn April 2025 the Com was buzzing about the publication of The Com Cast a lengthy screed detailing Jubairs alleged cybercriminal activities and nicknames over the years This account included photos and voice recordings allegedly of Jubair and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku these are both aliases used by Everlynn in connection with their fake EDR servicesppThalha Jubair right without his largerimmed glasses in an undated photo posted in The Com CastppMore recently the anonymous Com Cast authors claimed Jubair had used the nickname Operator which corresponds to a Com member who ran an automated Telegrambased doxing service that pulled consumer records from hacked data broker accounts That public outing came after Operator allegedly seized control over the Doxbin a longrunning and highly toxic community that is used to dox or post deeply personal information on peopleppOperatorClarkMiku A key member of the ransomware group Scattered Spider which consists of a diverse mix of individuals involved in SIM swapping and phishing the Com Cast account stated The group is an amalgamation of several key organizations including Infinity Recursion owned by Operator True Alcorians owned by earth2star and Lapsus which have come together to form a single collectiveppThe New Jersey complaint PDF alleges Jubair and other Scattered Spider members committed computer fraud wire fraud and money laundering in relation to at least 120 computer network intrusions involving 47 US entities between May 2022 and September 2025 The complaint alleges the groups victims paid at least 115 million in ransom paymentsppUS authorities say they traced some of those payments to Scattered Spider to an Internet server controlled by Jubair The complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards one of which was used at a food delivery company to send food to his apartment Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubairs name US prosecutors said that when they seized that server they also seized 36 million in cryptocurrencyppThe complaint also charges Jubair with involvement in a hacking incident in January 2025 against the US courts system that targeted a US magistrate judge overseeing a related Scattered Spider investigation That other investigation appears to have been the prosecution of Noah Michael Urban a 20yearold Florida man charged in November 2024 by prosecutors in Los Angeles as one of five alleged Scattered Spider membersppUrban pleaded guilty in April 2025 to wire fraud and conspiracy charges and in August he was sentenced to 10 years in federal prison Speaking with KrebsOnSecurity from jail after his sentencing Urban asserted that the judge gave him more time than prosecutors requested because he was mad that Scattered Spider hacked his email accountppNoah Kingbob Urban posting to TwitterX around the time of his sentencing on Aug 20ppA court transcript PDF from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody The judge told attorneys for both sides that a codefendant in the California case was trying to find out about Mr Urbans activity in the Florida case and that the hacker accessed the account by impersonating a judge over the phone and requesting a password resetppAllison Nixon is chief research officer at the New York based security firm Unit 221B and easily one of the worlds leading experts on Combased cybercrime activity Nixon said the core problem with legally prosecuting wellknown cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18 and thus difficult to charge under federal hacking statutesppIn the United States prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them But until that day comes she said Com actors often feel emboldened to continue committing and very often bragging about serious cybercrime offensesppHere we have a special category of Com offenders that effectively enjoy legal immunity Nixon told KrebsOnSecurity Most get recruited to Com groups when they are older but of those that join very young such as 12 or 13 they seem to be the most dangerous because at that age they have no grounding in reality and so much longevity before they exit their legal immunityppNixon said UK authorities face the same challenge when they briefly detain and search the homes of underage Com suspects Namely the teen suspects simply go right back to their respective cliques in the Com and start robbing and hurting people again the minute theyre releasedppIndeed the UK court heard from prosecutors last week that both Scattered Spider suspects were detained andor searched by local law enforcement on multiple occasions only to return to the Com less than 24 hours after being released each timeppWhat we see is these young Com members become vectors for perpetrators to commit enormously harmful acts and even child abuse Nixon said The members of this special category of people who enjoy legal immunity are meeting up with foreign nationals and conducting these sometimes heinous acts at their behestppNixon said many of these individuals have few friends in real life because they spend virtually all of their waking hours on Com channels and so their entire sense of identity community and selfworth gets wrapped up in their involvement with these online gangs She said if the law was such that prosecutors could treat these people commensurate with the amount of harm they cause society that would probably clear up a lot of this problemppIf law enforcement was allowed to keep them in jail they would quit reoffending she saidppThe Times of London reports that Flowers is facing three charges under the Computer Misuse Act two of conspiracy to commit an unauthorized act in relation to a computer causingcreating risk of serious damage to human welfarenational security and one of attempting to commit the same act Maximum sentences for these offenses can range from 14 years to life in prison depending on the impact of the crimeppJubair is reportedly facing two charges in the UK One of conspiracy to commit an unauthorized act in relation to a computer causingcreating risk of serious damage to human welfarenational security and one of failing to comply with a section 49 notice to disclose the key to protected informationppIn the United States Jubair is charged with computer fraud conspiracy two counts of computer fraud wire fraud conspiracy two counts of wire fraud and money laundering conspiracy If extradited to the US tried and convicted on all charges he faces a maximum penalty of 95 years in prisonppIn July 2025 the United Kingdom barred victims of hacking from paying ransoms to cybercriminal groups unless approved by officials UK organizations that are considered part of critical infrastructure reportedly will face a complete ban as will the entire public sector UK victims of a hack are now required to notify officials to better inform policymakers on the scale of Britains ransomware problemppFor further reading bless you check out Bloombergs poignant story last week based on a years worth of jailhouse interviews with convicted Scattered Spider member Noah Urbanpp
This entry was posted on Wednesday 24th of September 2025 0748 AM
ppNice article Krebsppseems next winamp or sonique skin is playing better feel our trauma winningsppvery rich nowppnow losing bucks near your phoneppPotential new members of DOGE Maybe theyll be tougher than Big Balls and not get beat up by a 15 year old girlppyou mean the ransomed people that Doge ousted the judges just reinstatedppawesome job lsat loserspplet us all discuss what Krebs pillow deservesppthats right lesha he told you we shouldnt do thatppfifteen year old girl which was apparently an over 18 year old leading every school of fish to a world of no utensils seemed aboot as fine now as then I guessppAnd you believed that Hmm are you interesting in purchasing a bridgeppbridge hope shut down and left in 2015 c0mradeppKrebs u begged for like 200 on a tele chat ur exact words nigga just give me like 200 to not publish information Shame on youppHrm That doesnt really sound like me You do realize that at any given time there are about 1015 cybercriminals using my nameppWasnt there a dark market named after you at some pointppdomo kun where is walking sim ukrainian sim card parent nowppIt strikes me that walking sim Ukrainian SIM card parents keep thinking I am the that and not the fuckers following people around with creepy posts all over the placeppi am gonna open one called paper cup market maybe itll be in time for my vine finale by fiona in 2016ppI remember a carding shop named after Krebs for a long timeppTheres a strong connection between these guys and extortingblackmailing people including seniors and young girls Im 100 sure this will be considered in their legal proceedings and they will definitely not be given an extremely light sentence and claim they really are autistic
Have faith in the justice system it worked so great for Arion after allppAlso mr Jubair apparently has even deeper history preCom
httpsxcomsoftfoxladstatus1692016287319208363
httpsxcomsoftfoxladstatus1968720051294335098ppWhat can be done about these people The UK courts are notoriously lenient to all crime not just cyber crime this
pair will just get a puny sentence and fine and be back on the job in no time at all DepressingppBloombergs poignant story has a paywallpparchivetoday is your friend bobpphttpsarchiveph4UmRnppseems like the next food us maureens need isnt comingppThe complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards one of which was used at a food delivery company to send food to his apartment Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubairs nameppIts hard being a scumbag Discipline requiredppyoutubecomwatchvA3gaXX6u2IppHow do we find the com cast documentaryppjust turn your tv on and given an appropriate amount of time and depending on your location itll come to youppKill them now What are the addresses of the prisons A contract can be drawn for them Where do their parents live Kill them now Decapitate them Now Do itppadd darkmode brianppyeah noone needs selfreferencing functionsppyou posted a minors personal info once again krebs the girl was underage in the picture gangppDont let looks fool you Jubair isnt actually a femaleppHats off to you Krebs because this is the best article youve ever made Incredible amount of research and thoroughness Good job ppWhy did you censor the image with Jubair and the girl is that his girlfriendppHe doesnt look at all like the court artist rendering I guess they were busy trying to find some more Matts for their wordleppIm reading the indictment right now and it looks like he was caught because the FBI had full access to his Windows VPS When they refer to Server1 and Server2 in the indictment they are referring to a Windows VPS Thats how they were able to seize 36 million USD from him And thats where he conducted all of his hacking activity from Using the Windows VPSppSo somewhere along the way the true IP address of his Windows VPS slipped The FBI then contacted the VPS provider asking for full access and then the FBI had full oversight over everything he was doing on the VPS That includes all of his Telegram chats accounts and Bitcoin wallets he was using on the VPS That includes seeing literally everything he was doing 247 logged and monitored by the FBI since 2022 all the way up until 2024 They were able to seize the 36 million in Bitcoin by literally just recording him typing his password in his Bitcoin wallet Then when he closed his computer or logged off they just withdrew itppNow I have 2 questionspp1 Why in the world would you hold 36 million USD in a remote controlled VPS And then use that same wallet to buy ubereats gift cardspp2 Why would you do all of your hacks on a VPS That seems like the dumbest trend ever Not only is everything logged but also even if it wasnt logged its impossible to avoid the real VPS IP slipping over a long enough period of time either due to a reboot or simply human errormistakes Not to mention the VPS owner can see what youre doing at all times Thats the equivalent of going at a public library and hacking from their computerppYo Brian ppWho named this groupppnigga means a male according to the girl who testified under oath she was Trayvon Martins girlfriendppThis is dialog with Piers Morgan after her testimonypp RJ The whole world say its a racist word Mind youmind you around
2000 that was not They changed it around started spelling NIG
GA Nigga
PM What does that mean to you thatthat way of spelling it What does
that word mean to you
RJ That mean a male
PM A black male
RJ No any kind of male
PM Black or white
RJ Bla any kindChinese could say nigga Thats my chino nigga They
could say thatppMeth does go stale yespplol I bet you say that to all the default files in your linux bootppThere are no default files in my linux boot check your asspphttpstailsnetppHeads I win tails you on methppHow the fuck do you go from playing Roblox Minecraft to serious cybercrime I dont get itppIf you dont know they were always one and the same you have a pretty rude awakening coming to you when your ransom arrivesppTheyre one and the same and they always wereppWhere can I find The Com CastppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
