Four Scattered Spider Members Charged by UK Authorities in Ransomware Case

• Authorities in the U.K. charged two young individuals for alleged links to the notorious Scattered Spider ransomware gang.
• One of them reportedly played a key role in the MGM attack, the other was linked to the LAPSUS$ extortion group.
• The accused were uncovered following investigations focusing on high-profile data theft and extortion attacks.

Four individuals associated with the Scattered Spider ransomware group have been charged in the U.K. The accused, aged 17 to 20, were apprehended following investigations into high-profile data theft and extortion attacks. 

Authorities have linked the group to breaches involving prominent retailers such as Marks & Spencer, Harrods, and Co-op Group, as well as various airlines. The arrests, conducted by the UK’s National Crime Agency (NCA), include two males aged 19, another aged 17, and a 20-year-old female.

One suspect, identified as Owen David Flowers who allegedly went by the hacker handles “bo764,” “Holy,” and “Nazi,” reportedly played a key role in the MGM attack. Flowers was the group member who anonymously gave interviews to the media in the days after the MGM hack, sources told KrebsOnSecurity.

Another, 19-year-old Thalha Jubair, who is believed to have used the nickname “Earth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel “Star Fraud Chat,” has a known history of orchestrating cyber intrusions under various aliases, including roles in earlier incidents involving the LAPSUS$ extortion group. 

The gang stole data from tech giants, including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber, in 2022.

In April, a 20-year-old who is believed to be a member of the notorious Scattered Spider threat actor pleaded guilty in court, while five other individuals were arrested in November 2024. In July 2024, a 17-year-old boy from Walsall was arrested, and the FBI detained a 22-year-old SIM swapper operating under the alias ‘Tyler,’ who was believed to be the Scattered Spider leader.

Scattered Spider, an English-speaking cybercrime group, has developed a reputation for its adept use of social engineering techniques. 

The group frequently impersonates employees or contractors to deceive IT help desks into granting unauthorized access to infiltrate networks, steal sensitive data, and deploy ransomware to extort their victims.  

The NCA’s action disrupted the group’s current operations due to these arrests, but the Scattered Spider ransomware group’s prolific activities suggest that organizations must prioritize social engineering defenses, including employee training on phishing tactics and access verification procedures.