– Krebs on Security
U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States.

At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area.

| The Record from Recorded Future News
Jonathan Greig
September 22nd, 2025

A 17-year-old male surrendered to police in Las Vegas and was booked on charges related to 2023 cyberattacks against the city's casino and hospitality industry.

A suspected member of the Scattered Spider cybercriminal organization turned themselves in to Las Vegas police last week under accusations that they were behind multiple cyberattacks targeting casinos in the city.

The Las Vegas Metropolitan Police Department released a brief statement on Friday afternoon confirming that an unnamed juvenile suspect surrendered himself to the Clark County Juvenile Detention Center on September 17. He was booked on several charges related to cyberattacks on multiple Las Vegas casino properties between August 2023 and October 2023, police said.

Those dates line up with ransomware attacks on Caesars Entertainment and MGM Resorts — both of which own multiple casinos and hotels across Las Vegas.

Las Vegas Police said the attacks were attributed to Scattered Spider and noted that the FBI took over the investigation.

The unnamed suspect was charged with three counts of obtaining and using the personal information of another person, one count of extortion, one count of conspiracy to commit extortion and one count of unlawful acts regarding computers.

The Clark County District Attorney’s Office said it is looking to transfer the person to the criminal division, where he will face the charges as an adult.

The ransomware attack on MGM Resorts cost the company more than $100 million and left thousands of Las Vegas visitors scrambling to deal with widespread technology outages caused by the incident. The attackers also stole sensitive personal information on millions of customers and employees.

Members of the group later launched an assault in 2025 on multiple industries — shutting down several airlines, major insurance companies and high-profile retailers from March to July.

The group most recently took credit for a damaging attack on British automotive giant Jaguar Land Rover.

Law enforcement agencies have recently stepped up efforts to arrest, charge and convict members of the group.

Last year, police in the U.K. arrested a 17-year-old for his alleged role in the MGM attack.

Last week, a U.K. national was arrested in London and concurrently charged by U.S. prosecutors for his involvement in at least 120 attacks launched by Scattered Spider.

Other members of the group were recently slapped with years-long prison sentences for launching attacks.

| The Record from Recorded Future News Alexander Martin
September 18th, 2025

Two suspected members of the Scattered Spider cybercrime collective have been arrested and charged in the United Kingdom following an investigation into the hack of Transport for London (TfL) last year.

The National Crime Agency (NCA) announced on Thursday that Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, had been arrested at their homes at lunchtime on Tuesday.

The Crown Prosecution Service authorized charges against both men on Wednesday night under the Computer Misuse Act, alleging they conspired to commit unauthorized acts against TfL, which was hacked in August 2024. Flowers had initially been arrested over the the transit agency attack in September 2024, but released on bail.

The NCA said its officers also discovered additional potential evidence that Flowers had been involved in attacks against U.S. healthcare companies following his arrest. Flowers faces two additional charges of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health.

Jubair faces an additional charge for refusing to provide investigators with passcodes to access devices seized from him. The U.S. Department of Justice also unsealed a complaint against Jubair on Thursday, accusing him of computer crimes.

The men are set to appear at Westminster Magistrates’ Court at 2 p.m. on Thursday. In England and Wales, criminal cases begin with a first hearing in a magistrates’ court where it is decided whether the case will proceed to a Crown Court for a jury trial — required for all cases where the sentence could exceed 12 months.

The specific charges against both men are “conspiracy to commit an unauthorised act in relation to a computer causing / creating risk of serious damage to human welfare/national security,” the maximum sentence for which is life imprisonment.

Magistrates’ courts also decide whether a defendant can be released on bail. Prosecutors are seeking to have both men remanded in custody until they can face trial.

Paul Foster, the head of the NCA’s National Cyber Crime Unit, said: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

It follows the NCA warning of an increasing threat from English-speaking cybercriminal groups, including the loose collective tracked as Scattered Spider, which has been associated with a range of attacks in both Britain and the United States.

“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” said Foster.

Hannah Von Dadelszen, the CPS’ chief prosecutor for the Crown Prosecution Service, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”

The charges come as the NCA’s cybercrime unit is understood to be busier than ever in investigating a range of cases. These include the hack against TfL, the Legal Aid Agency, two incidents impacting the National Health Service, and attacks on three retailers — Marks & Spencer, the Co-op, and the London-based luxury store Harrods.

Contempt of court laws prohibit prejudicing a jury trial by suggesting suspects' guilt or innocence, publishing details regarding their past convictions, or speculating about the character of the defendants.

Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company

"We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told BleepingComputer.

"No requests were made with this fraudulent account, and no data was accessed."

The FBI declined to comment on the threat actor's claims.

This statement comes after a group of threat actors calling itself "Scattered Lapsus$ Hunters" claimed on Telegram to have gained access to both Google's LERS portal and the FBI's eCheck background check system.

The group posted screenshots of their alleged access shortly after announcing on Thursday that they were "going dark."

The hackers' claims raised concerns as both LERS and the FBI's eCheck system are used by police and intelligence agencies worldwide to submit subpoenas, court orders, and emergency disclosure requests.

Unauthorized access could allow attackers to impersonate law enforcement and gain access to sensitive user data that should normally be protected.

The "Scattered Lapsus$ Hunters" group, which claims to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, is behind widespread data theft attacks targeting Salesforce data this year.

The threat actors initially utilized social engineering scams to trick employees into connecting Salesforce's Data Loader tool to corporate Salesforce instances, which was then used to steal data and extort companies.

The threat actors later breached Salesloft's GitHub repository and used Trufflehog to scan for secrets exposed in the private source code. This allowed them to find authentication tokens for Salesloft Drift, which were used to conduct further Salesforce data theft attacks.

These attacks have impacted many companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co, Cloudflare, Zscaler, Elastic, Proofpoint, JFrog, Rubrik, Palo Alto Networks, and many more.

Google Threat Intelligence (Mandiant) has been a thorn in the side of these threat actors, being the first to disclose the Salesforce and Salesloft attacks and warning companies to shore up their defenses.

Since then, the threat actors have been taunting the FBI, Google, Mandiant, and security researchers in posts to various Telegram channels.

Late Thursday night, the group posted a lengthy message to a BreachForums-linked domain causing some to believe the threat actors were retiring.

"This is why we have decided that silence will now be our strength," wrote the threat actors.

"You may see our names in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active."

However, cybersecurity researchers who spoke with BleepingComputer believe the group will continue conducting attacks quietly despite their claims of going dark.

Update 9/15/25: Article title updated as some felt it indicated a breach.

bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks.

Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th.

While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group.
Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches.

Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase.

One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances.

These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors.

The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications.

BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database.

BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing.

The Salesforce data-theft attacks
The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances.

Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.

Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks.

While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider.

However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same.

"Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer.

"They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake."

It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested.

Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA.

Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses.

Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.

reuters.com - Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords.

WASHINGTON, July 22 (Reuters) - Bleach maker Clorox (CLX.N), opens new tab said Tuesday that it has sued information technology provider Cognizant (CTSH.O), opens new tab over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords.
Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom.

The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them.
"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit, opens new tab reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over."
Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services.

Four individuals in Britain were arrested early on Thursday morning by the National Crime Agency on suspicion of involvement in a range of ransomware attacks targeting the British retail sector earlier this year.

The individuals are a 20-year-old British woman from Staffordshire, a 19-year-old Latvian male from the West Midlands, a 19-year-old British man from London and a 17-year-old British male from the West Midlands.

All four are now in custody having been arrested at home, and the NCA said its officers have seized their electronic devices for forensic analysis.

The individuals are suspected of involvement in three incidents in April impacting British retailers Marks & Spencer, the Co-op and the London-based luxury store Harrods.

The NCA said the individuals are suspected of Computer Misuse Act offenses, blackmail, money laundering and participating in the activities of an organized crime group.

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” said Paul Foster, the head of the NCA’s National Cyber Crime Unit.

“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.

“Cyber attacks can be hugely disruptive for businesses and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help.”

The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.

Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.

A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.

Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.
“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”

Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.

A 20-year-old man believed to be a member of the cybercrime ring known as Scattered Spider has pleaded guilty to charges brought against him in Florida and California.

Noah Urban of Palm Coast, Florida, was arrested in January 2024 and charges against him were unsealed by US authorities in November 2024, when four others believed to be members of Scattered Spider were named.

Connecting a successful phishing attempt to Scattered Spider through Validin pivoting

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta,…

The West Midlands Police said U.K. agencies — in coordination with the FBI — arrested a 17-year-old suspect in a breach that upended MGM's operations last year on the Las Vegas Strip.

UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider" and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.

Enfin une bonne nouvelle à propos de Scattered Spider, ce gang de cybercriminels actif depuis le printemps 2022 ? La presse espagnole vient d’annoncer l’arrestation d’un Anglais présenté comme l’un des leaders de ce groupe informel de pirates informatiques. Le jeune homme de 22 ans s'apprêtait à s’envoler vers l’Italie quand il a été arrêté à Palma de Majorque, dans l’archipel des Baléares.

Spanish newspaper Murcia Today reported that a British man was detained at Palma Airport as he prepared to board a flight to Italy.

Discover the techniques, tactics (TTPs) used by Scattered Spider intrusion set, including social engineering and targeted phishing campaigns.