Table of Contents
How Did a Food Delivery Order Help Police Track Down Hackers in a $115 Million Case?
Police in the United Kingdom have arrested two young men. These men are thought to be part of a hacking group known as Scattered Spider. This group has become famous for its clever and damaging cyberattacks all over the world. The arrests mark a significant moment in the fight against a new kind of cybercrime, one that relies more on tricking people than on breaking complex code. The two individuals, barely out of their teens, now face serious charges in both the UK and the United States, connecting them to a massive string of digital intrusions that caused huge financial losses for many companies.
This case is not just about a few arrests. It shines a light on how young, tech-savvy individuals can cause widespread disruption from their bedrooms. It also shows how international police forces are working together to track these groups down, following digital and financial clues across continents. Understanding this story is important for everyone, as the methods used by Scattered Spider target the human element of security, a vulnerability we all share.
The UK Charges: An Attack on London’s Transport
On September 16, 2025, police officers from the UK’s National Crime Agency (NCA) and the City of London Police made two key arrests. At their homes, they took into custody 19-year-old Thalha Jubair from East London and 18-year-old Owen Flowers from the West Midlands. These arrests were the result of a careful investigation into a cyberattack that hit Transport for London (TfL), the body that runs London’s public transport system.
The attack on TfL happened on August 31, 2024. Investigators believe members of Scattered Spider broke into TfL’s computer network. Following the arrests, both Jubair and Flowers were formally charged in a London court on September 18. The main charges relate to their alleged plan to commit illegal acts against TfL’s systems, a crime under the UK’s Computer Misuse Act.
Owen Flowers faces additional charges. Authorities first arrested him back on September 6, 2024, in connection with the TfL incident. During that time, officers found evidence that suggested he was also involved in crimes against healthcare companies in the United States. He is now officially charged with plotting to break into and damage the networks of two American healthcare providers, SSM Health Care Corporation and Sutter Health.
Thalha Jubair faces an extra charge as well. When he was arrested, police seized his electronic devices. He is accused of refusing to provide the passwords or PINs for these devices, which is a crime under UK law. Both men were denied bail and are being held in custody. Their next court appearance is scheduled for October 16, 2025, at a higher court in London.
The US Indictment: A $115 Million Extortion Scheme
While the UK charges are serious, the accusations from the United States paint an even bigger picture of criminal activity. On the same day as the London court hearing, the U.S. Department of Justice unsealed a major lawsuit against Thalha Jubair. Filed in a New Jersey court, the lawsuit accuses him of being a key player in a massive international hacking operation.
The US charges against Jubair are extensive and include:
- Conspiracy to commit computer fraud: Working with others to illegally access computer networks.
- Conspiracy to commit wire fraud: Using electronic communications, like the internet, to carry out fraudulent schemes.
- Conspiracy to commit money laundering: Hiding the source of illegally obtained money.
According to the indictment, Jubair and his partners were involved in hacking at least 120 computer networks. These attacks targeted at least 47 companies based in the United States. The group would steal sensitive information, lock up the company’s data, and then demand a ransom payment to return it. The total amount extorted from these victims is believed to be more than $115 million. Jubair is accused of laundering this money with his accomplices.
The lawsuit provides details on Jubair’s alleged activities from May 2022 to September 2025. It claims he used several online aliases, including “EarthtoStar,” “Brad,” “Austin,” and “@autistic.” If a company paid the ransom, the hackers would provide the keys to unlock the data and promise not to leak the stolen information.
The Hackers’ Method: People, Not Code
One of the most interesting parts of this case is how Scattered Spider operated. They were not elite coders who found secret backdoors in software. Instead, they were masters of social engineering. This is the art of manipulating people into giving up confidential information. Their main tools were persuasion and deception, not complex programming.
The group was known for several tactics:
- Phishing: Sending fake emails or messages that look real to trick someone into clicking a bad link or revealing a password.
- SIM Swapping: Tricking a mobile phone provider into transferring a victim’s phone number to a SIM card controlled by the hacker. This allows them to intercept security codes sent via text message.
A clear example of their method is detailed in the US complaint. Around January 8, 2025, the group allegedly targeted the computer network of the U.S. court system. They did not use a fancy hacking tool. Instead, they simply called the IT help desk. They convinced an employee to reset a user’s password, giving them access. Once inside, they took over more accounts and stole data, including the names and phone numbers of court employees. They even accessed the email account of a federal judge and searched for terms related to their own group. This shows a bold and direct approach, relying on human trust and error.
Following the Digital Breadcrumbs
Catching cybercriminals is difficult, but not impossible. This case shows how investigators can follow a digital money trail. The hackers demanded ransom in cryptocurrency, which can be hard to trace. However, they made mistakes that led police right to their door.
Investigators found that parts of the ransom money, from at least five different victims, were sent to crypto wallets on a server controlled by Jubair. In July 2024, law enforcement agencies seized this server. At the time, it held about $36 million worth of cryptocurrency. As this was happening, Jubair allegedly tried to move about $8.4 million of the stolen funds to a different, secret wallet.
The final clues were surprisingly simple. Some of the stolen crypto funds were used to buy gaming vouchers. These vouchers were linked to an online account registered in Thalha Jubair’s name. Even more directly, other funds were used to buy vouchers for a food delivery service. These vouchers were then used to order food to the very apartment complex where Jubair lived. These small, everyday purchases created a direct link between the vast, anonymous world of cryptocurrency and a physical address, ultimately leading to his arrest. This part of the story highlights the close cooperation between the FBI in the US and the NCA in the UK, who shared information to connect all the dots.