Full Report
Researchers said Thalha Jubair was a principal operator, leading or directing many attacks attributed to the hacker subset of The Com since 2022. The post Teen arrested in UK was a core figure in Scattered Spider’s operations appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Scattered Spider (Associated with The Com)
## Attribution & Identity
The core figure discussed is **Thalha Jubair**, a 19-year-old U.K. national arrested in London who was a principal operator directing attacks attributed to Scattered Spider since 2022.
**Known Aliases:** "EarthtoStar," "Brad," "Austin," "Everylynn," and "@autistic."
**Associated Groups:** Scattered Spider, which is described as a hacker subset of the larger collective, **The Com**. Jubair was one of the two most core players associated with Scattered Spider.
## Activity Summary
Jubair was involved in at least 120 cyberattacks, including extortion against 47 U.S.-based organizations. A notable incident includes the January attack on the U.S. federal court system. The group is known for sweeping extortion schemes. Authorities traced at least $89.5 million in cryptocurrency payments to wallets controlled by Jubair. Two specific financial services firms paid him $25 million and $36.2 million, respectively, between June and November 2023.
## Tactics, Techniques & Procedures
- Extortion/Ransom demands.
- The overall evolution of attacks is consistent with the scaling tactics ascribed to Scattered Spider.
- **Operational Security (OpSec):** Jubair was described as "extremely careful," utilizing an **amnesiatic operating system** (designed to forget user actions upon shutdown) and **Virtual Private Networks (VPNs)**.
- Investigators used **blockchain analysis** to trace cryptocurrency transactions from Jubair's controlled server wallets to subsequent gift card purchases linked to his residence and gaming activity.
## Targeting
- **Sectors:** Manufacturing, entertainment, retail, aviation, insurance, finance, business process and customer service outsourcing, construction, hospitality, technology, telecommunications, and multiple forms of critical infrastructure.
- **Geography:** Attacks frequently targeted **U.S.-based organizations**. The core actor was arrested in the **U.K. (London)**.
- **Victims:** At least 47 U.S.-based organizations, as well as the **U.S. federal court system**. Specific victims mentioned publicly include two unnamed financial services firms.
## Tools & Infrastructure
- **Malware families used:** Not explicitly detailed in the text.
- **Infrastructure (C2, domains, IPs):** The article mentions analysis traced activity to **Bitcoin addresses and servers** controlled by Jubair. Specific C2 domains or IPs were not defanged/listed.
## Implications
The arrest of Jubair marks a significant breakthrough in identifying and charging key figures behind the prolific Scattered Spider extortion activities. His high level of involvement highlights the substantial financial accumulation by this group ($115 million in total known ransom payments across victims). The successful identification illustrates the challenges actors face in maintaining anonymity despite using sophisticated OpSec measures.
## Mitigations
- Focus on advanced **blockchain analysis and law enforcement coordination** to trace financial proceeds and link online activity to real-world identities (as demonstrated by the trace to gift card purchases).
- Implement robust network and endpoint monitoring to detect indicators associated with common ransomware/extortion operations, despite the actors' careful use of VPNs and specialized operating systems.