CyberScoop Reports US Authorities Attribute 120+ Attacks to Scattered Spider Defendant Thalha Jubair

More detail on Scattered Spider's TfL leaders: US authorities have Jubair on the record for 120 attacks, and defender pattern-tracking continues this week.

Share
Editorial illustration of a case folder fanning into many attack markers, marking US authorities attributing 120-plus attacks to Scattered Spider's Thalha Jubair.

Key Takeaways

  • In a July 17, 2026 follow-up to this week's Transport for London sentencing, CyberScoop reported that US authorities last year accused Scattered Spider defendant Thalha Jubair of direct, prominent involvement in at least 120 cyberattacks — a figure that dwarfs the single UK case for which he and Owen Flowers were each jailed for 66 months.
  • According to CyberScoop, the US-attributed conduct reportedly includes the extortion of 47 US-based organizations and a January 2025 attack on the federal court system, with officials tracing at least $89.5 million in cryptocurrency at the time of payment to addresses and servers said to be controlled by Jubair.
  • For defenders, the significance is less any single number than the pattern: Jubair and Flowers are characterized as leading members of a Scattered Spider subset of The Com, and the widening transatlantic paper trail is a leading indicator of how individual accountability is being assembled across jurisdictions.

The UK jailed them for one attack. US authorities, CyberScoop reports, already had Thalha Jubair on the record for at least 120 — a reminder that the case against Scattered Spider's leaders spans more than one courtroom.

LONDON — US authorities last year accused Scattered Spider defendant Thalha Jubair of direct, prominent involvement in at least 120 cyberattacks, according to a July 17, 2026 CyberScoop report that expands on this week's Transport for London (TfL) sentencing. The follow-up puts the UK case — in which Jubair and Owen Flowers were each sentenced to 66 months, or five years and six months — into a much larger frame, one in which a single national prosecution captures only a fraction of the conduct investigators have alleged.

For security teams, the reporting is a study in scale and scope. The TfL sentencing was, on its own, the largest cybercrime prosecution ever brought before the UK courts. Yet the 120-attack figure attributed to Jubair by US authorities, and the cross-border characterization of both men as leading members of Scattered Spider, suggest the public record still trails the alleged activity. The takeaway for defenders is not a fresh incident to remediate but a clearer picture of how accountability against a high-profile crew is being built one jurisdiction at a time.

At a Glance
FieldDetails
Reported byCyberScoop, July 17, 2026 (follow-up to the TfL sentencing)
DefendantsThalha Jubair and Owen Flowers, characterized as leading members of Scattered Spider
UK outcomeEach sentenced to 66 months (five years and six months) for the 2024 TfL attack
US-attributed figureAt least 120 cyberattacks, per US authorities, reportedly attributed to Jubair last year
Alleged US scopeReportedly includes extortion of 47 US-based organizations and a January 2025 federal court system attack
Financial trailAt least $89.5 million in cryptocurrency reportedly traced to addresses and servers tied to Jubair
Organizational framingScattered Spider described as a subset of The Com
Status of US actionNo confirmed US indictment, extradition request, or additional charges announced as of reporting

What CyberScoop Reported

CyberScoop's July 17, 2026 report is a follow-up to the TfL sentencing, and its central new detail is a number attached to a name. According to the outlet, US authorities last year accused Thalha Jubair of direct, prominent involvement in at least 120 cyberattacks. That US-attributed figure, CyberScoop reports, reportedly encompasses the extortion of 47 US-based organizations and a January 2025 attack on the federal court system — conduct far broader than the single UK offense for which Jubair and Owen Flowers were sentenced.

The same reporting notes that officials said they traced at least $89.5 million in cryptocurrency, valued at the time of the payments, to Bitcoin addresses and servers said to be controlled by Jubair. The CyberScoop account attributes those specifics to a US criminal complaint. The CyberSignal has not independently verified the named organizations or the individual transactions, and treats each as an allegation on the public record rather than a proven fact.

The throughline of the CyberScoop piece is that the UK sentencing, while historic, sits atop a much larger body of alleged activity. The 120-attack figure is not a new charge announced this week; it is prior US accusation resurfaced to give the sentencing context — a reminder that the case investigators describe extends well beyond the one network that brought it to court.

Continuation Context: The TfL Sentencing

This report continues coverage that began with the sentencing itself. Earlier this week, Jubair and Flowers were each sentenced to 66 months for the 2024 attack on Transport for London, an incident that brought the network's operations to a standstill and that UK authorities called the largest cybercrime prosecution ever brought before the country's courts. The two had pleaded guilty last month, just as their trials were set to begin.

The National Crime Agency framed the outcome as a significant disruption of Scattered Spider's activity, while also acknowledging that other cybercriminals continue to operate under the same brand. The FBI, for its part, described the sentencing as a step toward accountability for a group it says continues to victimize organizations worldwide. The 120-attack figure CyberScoop surfaced does not change the UK sentence; it widens the lens on the two men behind it.

For readers following the thread, the sequence is straightforward: arrest, guilty plea, sentencing, and now a fuller accounting of the US-side allegations that predate the UK case. Each beat has added scope rather than reversing the last, and the picture that emerges is of defendants whose alleged reach outstripped the single prosecution that ultimately jailed them.

The 120-Attack Figure and Downstream US Prosecution Possibility

The most consequential open question is what, if anything, US authorities do next. The 120-attack figure was attributed to Jubair last year, before the UK secured its conviction. Whether that prior accusation translates into a US indictment, an extradition request, or additional charges is not confirmed, and nothing in the current reporting settles it. The CyberSignal flags these as open possibilities, not foregone conclusions.

Outside researchers quoted by CyberScoop have publicly speculated about extradition — one expressed hope that the pair would eventually be sent to the US to face further charges — but that is an analyst's aspiration, not a government commitment. Defenders should read the 120-attack number as an indicator of the alleged scale of the underlying conduct, not as evidence that a second prosecution is imminent. The gap between an accusation on a complaint and a filed charge in a new jurisdiction can be long, and it is gated by treaties, cooperation, and prosecutorial discretion.

What the figure does establish is that the US case file on Jubair is substantial and predates the UK outcome. For organizations that track threat-actor accountability as a strategic signal, that matters: it suggests the public record on Scattered Spider's leadership is still being written, and that this week's sentencing may not be the last word.

The Scattered Spider / The Com Organizational Context

The reporting situates both men within a specific structure. Jubair and Flowers are characterized as leading members of Scattered Spider, which researchers describe as a subset of The Com — a broader, loosely bound English-speaking cybercriminal milieu. That framing echoes prior CyberSignal coverage of how loosely organized crews have professionalized and how enforcement has increasingly targeted the individuals inside them, as with the 102-month sentence handed to a Karakurt extortion negotiator tied to Conti and Akira and a Ukrainian national's guilty plea in a Conti ransomware case.

The organizational point is important for defenders because brands like Scattered Spider are porous and durable in a way that individuals are not. UK authorities themselves noted that other actors continue to use the Scattered Spider label even after these arrests. Treating the name as the unit of analysis, rather than the people and clusters behind it, tends to overstate the impact of any single case. The value of the 120-attack disclosure is precisely that it attaches conduct to a named individual rather than a logo.

That individual-centric enforcement model mirrors the coordinated, cross-border disruptions defenders have watched accelerate over the past year, from takedowns such as Operation Endgame's dismantling of ransomware-supply-chain servers and operators to the steady cadence of individual pleas and sentences. None of it hardens a single endpoint, but it changes the strategic backdrop against which identity-driven crews operate.

Open Questions

Several threads remain unresolved. The named US victims behind the 120-attack figure are not fully public, and The CyberSignal is not asserting the specific 47 organizations or individual transactions as confirmed. Whether US prosecutors will pursue their own indictment against Jubair, whether extradition to the US is under active consideration, and whether Flowers faces separate US exposure are all unconfirmed as of this reporting.

Also open is the question of other Scattered Spider defendants moving through US and UK pipelines. Enforcement against the crew has not been limited to these two men, and the reporting leaves room for further arrests, charges, and disclosures. Defenders tracking this actor should treat the current record as provisional and expect the public accounting to keep expanding.


The CyberSignal Analysis

The facts above come from CyberScoop's reporting and the underlying UK and US law-enforcement record. What follows is The CyberSignal's editorial reading of what defenders should take from them — none of it is a new reported fact.

Signal 01 — The Number Is the Story, Not the Sentence

Our reading is that the 66-month sentence and the 120-attack figure are two different measurements of the same defendant, and the gap between them is the point. A national prosecution resolved one attack; the US accusation describes a body of alleged conduct more than a hundred times larger. Defenders who benchmark threat-actor risk by court outcomes alone will consistently underestimate scope.

The practical takeaway is to read sentences as floors, not ceilings, when assessing how much activity a given actor is believed to be responsible for. The public accounting of a prolific operator tends to arrive in fragments across jurisdictions, and the first courtroom result is rarely the full measure of the case.

Signal 02 — Individuals Outlast the Brand

UK authorities conceded that other actors still operate under the Scattered Spider name even after these arrests. Our assessment is that this is the recurring lesson of identity-driven cybercrime: the brand is disposable marketing, while the people, relationships, and reputations inside The Com persist. Attaching 120 attacks to a named individual is therefore more analytically useful than any tally attached to a logo.

For teams that triage risk by threat-actor name, the implication is to follow people and clusters, not labels. The prosecutions that meaningfully shrink a crew are the ones that remove specific operators, because a name can be reused the week after an arrest but a convicted individual cannot.

Signal 03 — Cross-Border Accountability Is Still Being Assembled

The US-attributed figure predates the UK conviction, which tells us the record on Scattered Spider's leadership is being built in parallel across jurisdictions rather than in a single, tidy proceeding. Our view is that defenders should treat transatlantic accountability as an ongoing process with more chapters likely, not a closed book after one high-profile sentencing.

The operational implication is unchanged and unglamorous: enforcement changes the strategic backdrop over years, while resilient backups, hardened identity, and tested recovery decide outcomes on the day of an attack. Watch the extradition-and-indictment cadence as a slow signal about the operator pool — but do not mistake a headline sentence for the end of the risk it represents.


Sources

TypeSource
ReportingCyberScoop — Leading members of Scattered Spider sentenced in UK to 66 months in jail
PrimaryUK National Crime Agency — Two sentenced for hacking Transport for London in UK's biggest ever cyber crime case
PrimaryU.S. Department of Justice, District of New Jersey — Unsealed criminal complaint against Thalha Jubair
RelatedThe CyberSignal — Scattered Spider TfL Leaders Jubair and Flowers Sentenced
RelatedThe CyberSignal — Scattered Spider Member Pleads Guilty Over Transport for London Attack