Recent arrests in the U.K. mark the latest chapter in an international law enforcement operation to take down Scattered Spider.
The threat group, operational since 2022, was behind major cyber intrusions in recent years, targeting the likes of Cypto.com and Transport for London (TfL).
One of the most notable things about Scattered Spider is the young age of many of its members.
At the time of their arrest in the U.K. last month, Thalha Jubair and Owen Flowers were 18 and 19. Yet, the National Crime Agency has charged them with involvement in an attack on TfL that “caused significant disruption and millions in losses.”
In a complaint filed on Thursday, Sept. 18, the U.S. Department of Justice tied Jubair to at least 120 ransomware incidents involving 47 U.S. entities.
Other members of the international cybercrime group were equally young when they took part in major intrusions.
For instance, Noah Urban, who worked as a “caller” for Scattered Spider, talking his way into secure systems over the telephone, was just 19 when the group targeted Crypto.com, Bloomberg reported on Friday.
With the law enforcement noose closing around Scattered Spider members, new details of their exploits are surfacing.
The Crypto.com data breach wasn’t publicly reported until recently. But on Monday, CEO Kris Marszalek denied covering the incident up.
“Any suggestion that we did not report or disclose a security incident is completely unfounded,” he stated.
Between May 2022 September 2025, Scattered Spider extorted at least $115 from American firms the DoJ complaint against Jubair alleges.
According to Push Security, victims of the hacker collective and associated groups include MoneyGram, Reddit, Coinbase, MailChimp, HubSpot, Cloudflare, and Activision.
Some of the most high-profile incidents include data breaches at the casino operators MGM and Caesars, the latter of which paid a $15 million ransom to prevent Scattered Spider from releasing stolen login credentials.
Scattered Spider relied heavily on third-party ransomware, often sourced from specialized Russian vendors. The group has been observed using ransomware strains such as RansomHub, Qilin, and DragonForce.
These strains are typically distributed through a “ransomware-as-a-service” model, whereby malware developers receive a rental fee or cut of any ransom.