When the court opened on July 4, 2026, the judge read that the defendants faced charges tied to 120 network intrusions and a ransomware haul of $115 million. That’s the backdrop for the first day of what prosecutors called a six‑week trial against two of the most visible faces of the Scattered Spider gang.
Key Takeaways
- Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty to hacking Transport for London in August 2024.
- Their admissions come amid a broader indictment covering 120 intrusions affecting 47 U.S. entities.
- Victims paid at least $115 million in ransom, according to New Jersey prosecutors.
- Jubair ran a Telegram channel called Star Chat that offered SIM‑swapping services to other cybercriminals.
- The case highlights how ransomware groups monetize stolen credentials through phone‑number hijacking.
Scattered Spider trial kicks off with guilty pleas
British authorities said Flowers and Jubair admitted conspiring to commit unauthorized acts against Transport for London’s computer systems and causing risk of serious damage to human welfare. The two were each photographed in court – Flowers on the left, a teen from Walsall, and Jubair, a 20‑year‑old from East London – and both entered pleas that matched the evidence prosecutors had amassed over the past two years.
According to the BBC, Flowers also confessed to being part of a conspiracy that targeted U.S. health‑care providers SSM Health Care Corporation and Sutter Health in September 2024. That admission ties the London‑based attack to a broader, trans‑Atlantic campaign that the U.K. police have been tracking since mid‑2024.
Jubair, meanwhile, remains wanted by U.S. law enforcement. The New Jersey indictment, unsealed in September 2025, says he and other Scattered Spider members carried out computer fraud, wire fraud, and money‑laundering schemes that spanned from May 2022 through September 2025.
The wider Scattered Spider crime spree
Prosecutors outlined a staggering pattern: 120 separate computer network intrusions that touched 47 U.S. entities, from hospitals to retailers. Those victims collectively shelled out at least $115 million in ransom payments, a sum that underscores how ransomware has become a cash‑flow engine for organized cybercrime.
In July 2025, Krebs on Security reported that Flowers and Jubair were arrested in the United Kingdom in connection with ransom attacks against Marks & Spencer, Harrods, and the Co‑op Group. The same reporting noted that Flowers was the individual who anonymously fielded media questions after the group’s September 2023 ransomware attacks crippled MGM Resorts and Caesars Entertainment casinos in Las Vegas.
Those high‑profile hits were just the tip of an iceberg that also included a wave of SIM‑swapping operations run out of a Telegram channel called Star Chat. Prosecutors say Jubair co‑ran that channel, turning stolen voice and SMS credentials into a service that could reroute a victim’s phone number to a device under the attackers’ control, thereby intercepting calls, texts, and even one‑time MFA codes.
Inside the Star Chat operation
Star Chat’s market was built on a simple premise: if you can hijack a phone number, you can bypass many two‑factor authentication schemes that rely on SMS. The group sold access to internal tools of major wireless providers in both the U.S. and the U.K. then used that foothold to redirect victims’ calls and texts. A receipt from the service shows a T‑Mobile customer whose number was rerouted after the attackers gained entry to internal employee tools.
One of Jubair’s hacker handles, “Rocket Ace“, appeared in court documents, linking him directly to the SIM‑swapping business. New Jersey prosecutors also allege he helped orchestrate a massive SMS phishing campaign in the summer of 2022 that stole single‑sign‑on credentials from employees at hundreds of companies.
That weeks‑long campaign led to intrusions and data theft at more than 130 organizations, including LastPass, DoorDash, Mailchimp, and Plex. The scale of that breach shows how a single phishing vector can cascade across a supply chain of services that rely on shared credentials.
Legal and operational fallout
The guilty pleas mark a rare moment where cybercriminals are forced to face the consequences of a coordinated, cross‑border ransomware operation. The British court’s decision to proceed with a six‑week trial reflects the seriousness with which authorities are treating the damage to public transport infrastructure – a sector that, until now, has often been under‑protected against sophisticated extortion.
For developers and security teams, the case underscores a growing need to harden not just web applications but also the telecom supply chain. If an attacker can infiltrate a carrier’s internal tools, they can essentially rewrite the authentication flow for any user who relies on SMS‑based MFA.
That reality should push organisations to consider alternative authentication methods, such as hardware security keys or push‑based approvals, especially for privileged accounts that could be used to pivot into critical infrastructure.
What This Means For You
If you’re building a SaaS platform that relies on SMS for user verification, you’ll want to audit every integration with telecom providers. Look for any hard‑coded API keys, and make sure you rotate secrets regularly. Also, monitor for anomalous routing changes that could indicate a number‑hijack in progress.
For security engineers, the Star Chat operation is a reminder to treat phone‑number ownership as a privileged asset. That means logging every request to carrier APIs, implementing rate limits, and setting up alerts for any outbound SMS that deviates from normal patterns. In short, you can’t afford to assume the carrier’s network is a black box you don’t need to protect.
Developers who embed third‑party authentication services should also review the provider’s incident‑response track record. If a carrier suffers a breach, the downstream applications that depend on its SMS service could be exposed without warning.
And for anyone who still uses SMS as the sole factor for privileged access, the message is clear: you’re playing with fire, and the Scattered Spider trial just proved that cybercriminals have a ready‑made match.
Historical Context
Ransomware first entered mainstream headlines when a handful of high‑profile attacks disrupted hospitals and municipal services in the early 2020s. Those incidents demonstrated how quickly a single encryption demand could cripple an entire organization. Over the next few years, criminal groups refined their playbooks, adding credential theft and extortion tactics to the basic lock‑and‑pay model.
SIM‑swapping, meanwhile, emerged as a low‑cost way to hijack accounts that depended on SMS for verification. Early reports described attackers calling carrier support lines, impersonating customers, and convincing operators to reroute numbers. By the time Scattered Spider entered the scene, the technique had matured into a commercial service offered on encrypted messaging platforms.
The September 2023 attacks on MGM Resorts and Caesars Entertainment illustrated how ransomware operators could blend traditional encryption demands with a parallel campaign to steal authentication credentials. Those incidents forced many enterprises to re‑evaluate their reliance on SMS as the only second factor.
Transport for London’s August 2024 breach showed that public‑sector bodies were not immune. The city’s transit authority had long advertised a secure ticketing system, yet the intrusion exposed how even well‑funded agencies could fall prey to a coordinated intrusion that used both network exploits and telecom fraud.
Technical Architecture of the Attack
At a high level, the operation began with a foothold inside a telecom provider’s internal network. Attackers used stolen employee credentials to access configuration tools that govern number routing. Once inside, they altered the destination for targeted phone numbers, pointing calls and texts to devices under their control.
With the victim’s SMS channel under their command, the criminals could intercept one‑time passwords sent by banks, cloud services, and corporate VPNs. Those intercepted codes unlocked privileged accounts, which in turn allowed the ransomware payloads to be deployed across internal systems.
Ransomware encryption was the final stage. After encrypting files, the attackers left a payment note demanding cash in exchange for the decryption key. The note referenced the same phone number that had been hijacked, creating a loop that forced victims to use the compromised channel to negotiate.
Investigators traced the chain of events by correlating logs from telecom APIs, network intrusion alerts, and ransom payment records. The overlapping evidence painted a picture of a single adversary group that coordinated every step—from number hijack to data encryption—under a unified command structure.
Key Questions Remaining
- Will courts treat the manipulation of telecom infrastructure as a distinct cyber‑crime category, separate from traditional ransomware charges?
- How will insurers adjust premiums for enterprises that depend heavily on SMS‑based authentication after this trial?
- What steps will regulators take to mandate stronger safeguards around carrier employee access and API key management?
- Can the industry develop a rapid‑response framework that shares compromise indicators across telecoms, reducing the window for number‑hijack attacks?
- Will the prosecution of Flowers and Jubair deter other young hackers from joining organized ransomware groups, or will it simply shift the recruitment tactics of those groups?
Looking ahead
Will the prosecution of Flowers and Jubair set a precedent that deters future ransomware gangs from targeting telecom ecosystems? The answer will probably hinge on how the courts balance the technical complexity of SIM‑swapping with the real‑world impact on users’ digital lives. One thing’s for sure – the Scattered Spider trial is turning the spotlight on a facet of cybercrime that many organisations have ignored for far too long.
“The evidence shows a sophisticated operation that used both ransomware and telecom fraud to maximize profit,” prosecutors said in the indictment.
As the trial proceeds, developers, founders, and security leaders should keep a close eye on the courtroom drama. The outcomes could reshape compliance requirements, influence insurance premiums, and even drive new regulations around telecom security.
Sources: Krebs on Security, BBC News

