The U.S. Department of Justice has officially unsealed federal charges against Thalha Jubair, a 19-year-old British national accused of orchestrating at least 120 cyberattacks. Prosecutors allege Jubair played a central role in a widespread extortion campaign targeting dozens of U.S. companies and breaching critical systems, including the U.S. Courts network.
Arrest and Connection to TfL Breach
Jubair was taken into custody this Tuesday at his residence in East London. The National Crime Agency (NCA) confirmed he appeared in a London court alongside 18-year-old Owen Flowers. Both individuals are accused of participating in the 2024 cyberattack against Transport for London (TfL), an incident that crippled the city’s transit infrastructure and triggered months of recovery efforts.
Authorities have officially linked the TfL breach to the notorious cybercrime collective known as “Scattered Spider.” This group, often dubbed “advanced persistent teenagers,” is composed of English-speaking hackers known for using social engineering—such as impersonating employees to bypass IT help desks—to infiltrate high-profile corporate networks.
Federal Charges and Financial Extortion
Beyond the UK-based attacks, Jubair faces a separate set of federal charges filed in New Jersey. The indictment includes counts of computer hacking, extortion, and money laundering. Prosecutors claim his activities resulted in victimized companies paying over $115 million in ransom.
According to the FBI’s criminal complaint, a raid on servers allegedly operated by Jubair in July 2024 revealed evidence of 120 targeted companies, 47 of which were based in the United States. Jubair allegedly utilized stolen internal data to encrypt victim servers, holding the information hostage until ransoms were paid.
Infiltration of the U.S. Courts System
The investigation further uncovered that the hackers targeted the U.S. Courts system in January 2025. By manipulating the court’s help desk, the attackers gained access to three user accounts—including one held by a federal magistrate judge—specifically to search for information regarding ongoing investigations into “Scattered Spider.”
The group even used the compromised accounts to submit fraudulent emergency information disclosure requests to financial providers. This tactic, designed to trick firms into handing over user data under the guise of legal process, was reportedly coordinated via the same servers seized by the FBI.
As previously reported by Bloomberg, the motive behind the court breach was to locate the sealed indictment of convicted Scattered Spider member Noah Urban.
Cryptocurrency and Future Proceedings
The FBI’s seizure of Jubair’s infrastructure yielded a cryptocurrency wallet containing approximately $36 million, much of which is believed to be ransom proceeds. Although Jubair reportedly attempted to transfer $8.4 million out of the wallet while federal agents were securing the server, the bulk of the funds remained captured.
Jubair and Flowers remain in custody as legal proceedings continue. The Department of Justice has not yet confirmed whether it will pursue formal extradition for the teenager to face trial on U.S. soil.