Teen hacker accused of $115M cybercrime spree

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

The US Department of Justice unsealed charges against a 19-year-old British teenager accused of hacking like it was a full-time job. 

Prosecutors say Thalha Jubair was behind at least 120 cyberattacks, including breaches at dozens of US companies, the US Courts system, and, because why not, London’s public transit network.

Jubair was arrested earlier this week at his East London home, alongside 18-year-old partner-in-crime (alleged, of course) Owen Flowers. 

The two were already facing British charges for a 2024 hack that knocked Transport for London’s IT systems offline, forcing a painful months-long cleanup. 

Authorities linked that attack to Scattered Spider, a hacking collective that sounds like a Marvel villain squad but is actually a group of mostly teenagers and twenty-somethings fluent in English and social engineering. 

Their favorite trick? Calling up IT help desks, pretending to be a forgetful employee, and sweet-talking their way into fresh passwords.

Scattered Spider has earned the nickname “advanced persistent teenagers” for good reason. 

Beyond clever phone scams, the group has ties to a cybercrime underground known as “the Com,” where digital threats occasionally spill into real-world violence, like swatting.

But prosecutors say Jubair took things further. According to federal charges filed in New Jersey, he allegedly extorted dozens of US companies out of more than $115 million in ransom payments. 

The FBI says they traced evidence on seized servers to corporate break-ins, stolen data, and even a crypto wallet holding about $36 million. (Jubair reportedly managed to move $8.4 million while the FBI was seizing the wallet.)

Among the most eyebrow-raising hacks? Alleged access to the US Courts system. 

Investigators say Jubair and friends tricked help desk staff into handing over credentials, including a magistrate judge’s account, then used it to snoop for sealed indictments of fellow hackers. 

They even filed bogus emergency data requests with a financial firm, basically cosplaying as federal officials.

Whether Jubair will be extradited to the US is still up in the air. 

For now, he and Flowers remain in British custody, poster children for a new era of cybercrime: teenage hackers pulling off multimillion-dollar heists armed with nothing more than a phone call and a lot of nerve.

Does the rise of “advanced persistent teenagers” like this alleged hacking duo show that cybercrime has become too accessible to young people, or are these exceptional cases of criminal behavior that would exist regardless of technology? Should companies focus more resources on training employees to recognize social engineering attacks, or is this an arms race that will always favor creative hackers? Tell us below in the comments, or reach us via our Twitter or Facebook.