Scattered Spider Hackers Plead Guilty on Day 1 of Trial
scattered spiderflowersjubairtransport for londontflssm healthsutter healthlastpasscybersecuritycybercrimesim swappingransomware

Scattered Spider Hackers Plead Guilty on Day 1 of Trial

By Daniel MarshJune 25, 2026

When the Spider's Web Unraveled

This isn't a story about a single, isolated hack. It's about a pattern of relentless, high-impact intrusions by the notorious Scattered Spider hackers that finally led to a reckoning. Flowers, 18, and Jubair, 20, admitted their roles in the August 2024 cyberattack that crippled Transport for London (TfL). That incident alone cost TfL an estimated £29 million ($38.3 million), forced all 28,000 employees to reset passwords, and exposed customer data from the Oyster refunds system.

But TfL was just one target. Flowers also confessed to breaching U.S. healthcare providers SSM Health Care Corporation and Sutter Health in September 2024. Jubair, known by handles like "Rocket Ace" and operating as "Everlynn" at just 15, is wanted by U.S. law enforcement, indicted in September 2025 for involvement in 120 network intrusions across 47 U.S. entities between May 2022 and September 2025. Victims of the group paid at least $115 million in ransom.

These pleas, entered on Monday, June 23, 2026, at Woolwich Crown Court, mark a significant moment. It's not just Flowers and Jubair either. Other members, like Tyler "Tylerb" Buchanan, pleaded guilty in April 2026, and Noah Michael Urban was sentenced to 10 years in August 2025. This isn't a one-off arrest; it's a sustained campaign to dismantle a group that has caused massive damage.

Scattered Spider hackers' digital web of cybercrime

How Scattered Spider Hackers Spun Their Web

Scattered Spider wasn't using zero-days or highly sophisticated nation-state tools. Their success came from exploiting human vulnerabilities and supply chain weaknesses, often with alarming simplicity.

Here's how their typical attack chain looked:

  1. Initial Phishing: They started with voice- and SMS-based phishing attacks. Think about those mass SMS campaigns in summer 2022 that stole single sign-on (SSO) credentials from employees at hundreds of companies. This led to intrusions and data thefts at over 130 organizations, including LastPass, DoorDash, Mailchimp, Plex, and Signal.
  2. SIM Swapping: This was a key tactic. Jubair, for instance, co-ran a Telegram channel called "Star Chat," which was a SIM-swapping group. They'd trick major wireless providers into redirecting target phone numbers to attacker-controlled devices. This let them intercept calls and text messages, including those critical multi-factor authentication (MFA) codes. Once you have a user's password and can intercept their MFA, you're essentially in.
  3. Credential Abuse & Lateral Movement: With stolen credentials and bypassed MFA, they'd get into corporate networks. From there, it was about finding valuable data, deploying ransomware, or moving laterally to other systems. The TfL breach, for example, involved accessing the Oyster refunds system and stealing customer data.
  4. Fraudulent Data Requests: Jubair, as "Everlynn," even sold a service using compromised police and government email addresses to demand subscriber data (like usernames, IP addresses, email addresses) from major tech companies. This shows a willingness to exploit trust at multiple levels.

The evidence seized from Flowers' home, like a laptop with a screenshot showing connectivity to TfL infrastructure and videos of Jubair breaching systems, paints a clear picture. They weren't just talking about it; they were doing it, and leaving digital breadcrumbs.

Beyond the Ransom Demands

The immediate impact of Scattered Spider's activities is clear: millions in ransom payments, operational disruptions, and exposed customer data. TfL alone lost £29 million. The group's victims paid at least $115 million in ransom. That's a staggering amount of money, often coming from healthcare providers and critical infrastructure.

But the impact goes deeper.

  • Erosion of Trust: When companies like LastPass or Signal are breached, it shakes user confidence in the security of their most sensitive data.
  • Operational Chaos: Forcing 28,000 TfL employees to reset passwords isn't just an inconvenience; it's a massive operational undertaking that diverts resources and causes downtime.
  • Youth Involvement: The fact that these are young individuals, some as young as 15 when they started, raises serious questions. The National Crime Agency (NCA) has highlighted this trend, and it's a concern I share. We're seeing bright, technically capable young people getting drawn into high-stakes cybercrime, often with severe consequences like 10-year prison sentences.

The Reddit discussions reflect this. There's relief that these hackers are off the streets, but also a persistent concern about how many more are out there, and how to prevent the next generation from falling into the same trap.

How We're Fighting Back

The day-one guilty pleas aren't just about the individuals; they're proof of increasingly effective law enforcement coordination.

  • International Cooperation: The UK's NCA and U.S. law enforcement agencies worked together. Flowers and Jubair were arrested in the UK in July 2025, linked to attacks on British retailers, while Jubair faced a U.S. indictment. This cross-border collaboration is essential when dealing with groups that operate globally. For more details on international efforts against cybercrime, you can refer to the latest NCA cybercrime report.
  • Digital Forensics: The evidence seized – screenshots, videos, communication logs from Telegram and shared collaboration platforms – shows that investigators are getting better at tracing digital footprints, even from "loosely organized" groups. It's not enough to just hack; you have to cover your tracks perfectly, and these guys didn't.
  • Targeting the Ecosystem: Law enforcement isn't just going after the big names; they're dismantling the support structures, like the "Star Chat" SIM-swapping channel. This makes it harder for new recruits to get started.

For organizations, the message is still the same:

  • Strong MFA is Non-Negotiable: Especially phishing-resistant MFA. If your MFA can be SIM-swapped or phished via SMS, it's not strong enough against groups like Scattered Spider.
  • Employee Training: Phishing awareness isn't a one-time thing. These groups constantly evolve their social engineering tactics.
  • Supply Chain Security: Many of these attacks started by compromising a vendor or a service provider. You need to understand the security posture of your entire digital supply chain.
Digital forensics tracking Scattered Spider hackers

What This Means for the Future

The swift guilty pleas of Flowers and Jubair are a clear win for law enforcement. It shows that even young, agile, and "loosely organized" groups can be tracked, identified, and brought to justice when enough resources and international cooperation are brought to bear. The overwhelming evidence they faced likely made a trial a losing proposition, leading to the day-one admissions.

This isn't the end of Scattered Spider, as other members are still facing charges, but it's a significant blow. It also serves as a stark warning to others, especially young people, who might be tempted by the allure of easy money in cybercrime. The consequences are real, and law enforcement is getting better at making sure those consequences are delivered. We need to keep pushing for better security practices, but also for better ways to steer young talent away from this path.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.