Full Report
One suspect faces separate charges in the United States linking him to at least 120 cyberattacks. The post UK arrests two teens accused of heavy involvement in yearslong Scattered Spider attack spree appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Scattered Spider (Associated with The Com)
## Attribution & Identity
* **Primary Group Association:** Scattered Spider, described as a nebulous offshoot of the larger criminal collective known as **The Com**.
* **Identified Suspects (Arrested in the UK):** Thalha Jubair (19, London) and Owen Flowers (18, Walsall, England).
* **Known Aliases (Thalha Jubair):** "EarthtoStar," "Brad," "Austin," and "@autistic."
## Activity Summary
Scattered Spider is involved in widespread ransomware and data extortion activities. The article details the arrest of two key individuals linked to numerous high-profile cyberattacks, including:
* Extortion scheme spanning May 2022 to September 2025, involving at least 120 cyberattacks against U.S. organizations (47 specifically mentioned).
* Attacks on critical infrastructure, including a U.S.-based critical infrastructure company (October 2024) and the federal court system (January 2025).
* The cyberattack on **Transport for London (TfL)** in September 2024 (both suspects charged in relation to this).
* Attacks targeting U.S.-based health care companies **SSM Health Care Corp.** and **Sutter Health** in 2023 (Flowers specifically).
* Total ransom payments demanded/received from victims amounted to at least $115 million.
## Tactics, Techniques & Procedures
* **Initial Access:** Social engineering to break into victim networks.
* **Actions on Objectives:** Data theft and encryption (ransomware deployment).
* **Financial:** Ransom payment collection and subsequent money laundering activities (including cryptocurrency transfers).
* *No specific MITRE ATT&CK IDs were provided in the source text.*
## Targeting
* **Sectors:** Critical infrastructure, federal court system, and health care.
* **Geography:** Global activities, with a specific focus on **U.S.-based** organizations (at least 120 targets). Arrests took place in the **United Kingdom**.
* **Victims:** Transport for London (TfL), SSM Health Care Corp., Sutter Health, and unnamed U.S. critical infrastructure companies and federal courts.
## Tools & Infrastructure
* **Malware Families Used:** Ransomware (implied via "data extortion" and "encrypted data").
* **Infrastructure:** Cryptocurrency wallets were used for receiving ransom payments. Authorities seized cryptocurrency worth approximately **$36 million** from a server allegedly controlled by Jubair.
## Implications
The arrests highlight the international reach of law enforcement in dismantling sophisticated cybercriminal networks like The Com and its offshoots. The scale of operations (120 attacks, $115M in ransoms) indicates high operational capability and a consistent targeting strategy focused on disruption and financial gain across sensitive sectors. Law enforcement is emphasizing that actors, regardless of age or location, will be pursued.
## Mitigations
* Robust anti-social engineering defenses to prevent initial network intrusion.
* Strong data backup and recovery protocols to mitigate ransomware impact.
* Enhanced cryptocurrency tracing and seizure operations targeting actor infrastructure (as demonstrated by the seizure of $36 million).
* Continuous monitoring and investigation across international boundaries ([FBI statement regarding pursuit of actors attacking American companies]).