Prosecutors say the group's victims paid at least $115 million in ransom payments.
Guilty pleas in London: Owen Flowers and Thalha Jubair
Two young men pleaded guilty in a London courtroom this week to charges arising from an August 2024 cyberattack that crippled Transport for London, the public-transport authority for the Greater London area. Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. Their admissions came on day one of what had been expected to be a six-week trial.
Allegations tied to U.S. targets and wider Scattered Spider operations
The London pleas fit into a cross-border pattern of allegations against members of the group known as Scattered Spider. According to reporting from the BBC and U.S. prosecutors cited in filings unsealed in September 2025, New Jersey prosecutors allege that Jubair and other Scattered Spider members carried out 120 computer network intrusions affecting 47 U.S. entities between May 2022 and September 2025. That indictment asserts victims paid at least $115 million in ransom payments.
Flowers alone admitted involvement in a separate conspiracy to hack into U.S.-based healthcare providers SSM Health Care Corporation and Sutter Health in September 2024. Jubair is also wanted by U.S. law enforcement agencies, according to the public record cited in reporting.
SIM swapping and Star Chat: the alleged mechanics of credential theft
U.S. prosecutors describe Jubair as a co-runner of a bustling Telegram channel called Star Chat, identified as the home of a SIM-swapping group. The channel reportedly sold a service that, after gaining access to internal wireless-provider employee tools, could redirect a target’s phone number to a device controlled by the attackers and intercept calls and texts, including one-time multi-factor authentication codes. Reporting includes a receipt from Star Fraud Chat’s SIM-swapping service targeting a T-Mobile customer after the group gained access to internal T-Mobile employee tools. Prosecutors say one of Jubair’s hacker handles was “Rocket Ace.”
New Jersey prosecutors also attribute to Jubair involvement in a mass SMS-phishing campaign in summer 2022 that stole single sign-on credentials from employees at hundreds of companies. That campaign allegedly led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal.
Related arrests, guilty pleas and sentences across jurisdictions
Flowers and Jubair’s pleas are one node in a broader series of criminal actions tied to alleged Scattered Spider activity. In July 2025, KrebsOnSecurity reported that both men were arrested in the U.K. in connection with ransom attacks against retailers Marks & Spencer, Harrods and the Co-op Group. Multiple sources familiar with those investigations told reporters that Flowers was the Scattered Spider member who anonymously gave interviews after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.
Other members have pleaded guilty or been sentenced in U.S. cases. In April 2026, 24-year-old British national Tyler “Tylerb” Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft for participating in the group’s summer 2022 SMS-phishing spree; prosecutors allege Buchanan, Jubair and others used harvested credentials to steal at least $8 million in cryptocurrency from U.S. victims. Buchanan is scheduled to be sentenced on October 2, 2026. In August 2025, Noah Michael Urban, a 20-year-old Scattered Spider member from Florida, was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution after pleading guilty to wire fraud and conspiracy.
The Department of Justice also says three alleged Scattered Spider defendants indicted along with Buchanan still face charges: Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina.
How British and U.S. prosecutors are proceeding
The parallel activity in London courts and U.S. indictments demonstrates coordinated legal pressure on alleged Scattered Spider operators. Jubair’s being wanted by U.S. law enforcement and the unsealing of the New Jersey indictment indicate U.S. prosecutors are pursuing charges tied to a multi-year series of intrusions and alleged frauds. In the U.K., Flowers and Jubair’s guilty pleas truncate an anticipated six-week trial and move the cases toward sentencing: both men are slated to be sentenced in London on July 15, 2026.
The guilty pleas in London and the litany of U.S. filings together make clear this is not a single incident but a set of overlapping criminal allegations spanning SIM swapping, phishing, ransomware and large-scale intrusions across healthcare, retail and other sectors. Sentencing in July and scheduled hearings through the fall will be the next formal milestones in a complex, multinational prosecution.
