Redazione RHC : 25 September 2025 11:02
The U.S. Department of Justice and British police have charged Talha Jubair, 19, a resident of East London, who investigators believe is a key member of Scattered Spider , a group responsible for a series of extortion attacks targeting major businesses and government agencies.
According to the file, from May 2022 to September of this year, attackers carried out at least 120 intrusions, affecting 47 organizations in the United States, and the total amount of payments exceeded $115 million. A parallel case in London involves an attack on Transport for London in August 2024, in which 18-year-old Owen Flowers was involved along with Jubair.
The key to identifying the suspect was a series of technical coincidences. Investigators traced transfers from the addresses where ransom payments were sent to a server they believed was controlled by Jubair.
This node hosted cryptocurrency wallets used to purchase gambling gift cards and food delivery cards ; orders were delivered to his apartment complex, and one of the certificates was linked to a gaming profile with information about the apartment. During the raid, agents seized approximately $36 million in cryptocurrency; significant sums had previously been withdrawn from these addresses.
Jubair is credited with a long history of cyberattacks. According to the investigation, in 2021-2022 he was part of LAPSUS$ , operating under the usernames Amtrak and Asyntax, and previously as Everlynn , associated with selling fake emergency data requests on behalf of law enforcement. Internal conflicts within LAPSUS$ led to the leak of real data in public Telegram chats.
Since 2022, a person known as EarthtoStar has co-managed the Star Chat channel , an active SIM swapping platform. The group has systematically conducted phishing attacks against telecom operators, most often T-Mobile, gaining access to internal tools and selling call forwarding and email account reset services .
That summer, attackers used fake Okta pages and Telegram bots to instantly send two-factor authentication codes to compromise employees at hundreds of companies, resulting in incidents at LastPass, DoorDash, Mailchimp, Plex, and Signal.
Traces of activity also point to the Exploit forum, where RocketAce and Lopiu accounts advertised access to US telecommunications networks, phishing kits, malicious downloaders, and even Extended Validation certificates. In late 2022 and early 2023, a series of “IRL services” emerged in the English-speaking ” Com ” community, involving elements of physical pressure on targets, including robbery offers; this activity is also associated with EarthtoStar itself. At the same time, under the username Brad or Brad_banned , he promoted the development of kernel-level malware with persistence, reverse shell, and the alleged ability to bypass corporate security measures.
In September 2023, following attacks on MGM Resorts and Caesars Entertainment, the group claimed responsibility . Access was gained through social engineering by contractors. Caesars, according to media reports, paid a $15 million ransom , while at MGM, the outage resulted in extended downtime. In the spring of 2025, an anonymous report from “Com Cast” linked Jubair to new aliases: Clark, Miku, and Operator . The latter was credited with hijacking the Doxbin resource and launching an automated doxxing service.
Documents from the U.S. Department of Justice specifically describe a cyberattack on the infrastructure of a federal courthouse in January 2025: using technical support, attackers forced password resets, gained access to two other accounts, and stole employees’ personal data. One of the compromised email accounts then demanded the financial institution urgently release customer data.
In other incidents, ranging from manufacturing and entertainment companies to retail, financial, and critical infrastructure firms, the scenario was repeated: deception of support staff, password changes, exfiltration, sometimes encryption, and then bargaining for decryption or a promise not to publish the stolen data. In five cases, victims sent at least $89.5 million in BTC, with the largest payments going to banks.
Telegram blocked Star Chat in March 2025 , but according to investigators, operations continued until September. Some incidents are reminiscent of the Flowers case, as is the investigation against Noah Urban , who has already received a 10-year prison sentence in the United States. Analysts note that the involvement of minors in “Com” creates legal loopholes and delays prosecutions, but concerted efforts by government agencies and companies on both sides of the Atlantic are gradually depriving Scattered Spider of its base of operations.
Redazione