UK authorities have arrested a 19-year-old UK national alleged to be a key figure in the Scattered LAPSUS$ Hunters threat collective.
UK authorities arrested Thalha Jubair and a second individual on September 16, the U.S. Department of Justice (DoJ) said today in announcing charges against Jubair that include “conspiracies to commit computer fraud, wire fraud, and money laundering, in relation to at least 120 computer network intrusions and extortion involving 47 U.S. entities.”
The unsealed U.S. complaint alleges that Jubair’s victims paid at least $115 million in ransom payments, the DoJ said.
Scattered LAPSUS$ Hunters Hackers Behind Salesloft Attacks
The DoJ statement specifically mentions the Scattered Spider threat group, but Jubair is believed to have emerged as part of the LAPSUS$ threat group that recently formed a collective with Scattered Spider and ShinyHunters. The collective announced earlier this month that it is going dark – but evidence has already emerged of potential new activity.
Recent Scattered LAPSUS$ Hunters’ attacks have allegedly included the targeting of Salesforce instances. The groups are also believed to be connected to a broader cybercrime community known as The Com. The groups have also been referred to as UNC6040 and UNC6395. Scattered Spider is also tracked as UNC3944, among other names.
“For the record, since I think it’s now safe to say – Thalha Jubair (a teen) is the key guy behind LAPSUS$/Scattered Spider/ShinyHunters and basically most of the big cyber incidents of the past 5 years,” security researcher Kevin Beaumont said on Mastodon today. “He’s been running rings around everybody since he was 14.”
Jubair Could Face 95 Years in Prison
The DoJ said that UK authorities “arrested Jubair and a second individual in connection with a separate U.K. investigation related to a computer intrusion that targeted U.K. critical infrastructure.”
The UK National Crime Agency (NCA) named the second man as Owen Flowers, 18, of Walsall. Flowers and Jubair have been remanded into custody and are due to appear at Southwark Crown Court on October 16.
In the U.S., the DoJ said Jubair is charged with “computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison.”
According to the U.S. complaint, Jubair – also known as “EarthtoStar,” “Brad,” “Austin” and “@autistic” – began his alleged activity in 2022.
“From as early as May 2022 to as recently as September 2025, Jubair and his associates were involved in approximately 120 network intrusions, including accessing the computer networks of at least 47 U.S.-based victims,” the DoJ said.
Some of the ransom payments from at least five victims “were sent to wallets on a server controlled by Jubair,” the DoJ said. “In July 2024, while law enforcement was seizing that server — including successfully seizing cryptocurrency worth approximately $36 million at the time of the seizure — Jubair transferred a portion of cryptocurrency that originated from one of the victims, worth approximately $8.4 million at the time, to another wallet.”
