Thalha Jubair was fifteen when he discovered he had a skill. He’s an East London kid and hes good at convincing people to do things over the phone. By 2021, he was running SIM swap operations.

WHATS SIM SWAPPING

You call a phone company. Pretend to be someone else. Convince the employee your phone is broken and you need your number transferred to a new SIM card. They do it. Now you control that person's phone number.

Which means you control their two-factor authentication codes. Password resets. Bank alerts. Everything tied to that number. It's called social engineering. And Jubair was good at it.

By early 2022, Jubair joined LAPSUS$. A hacking group run mostly by teenagers. The suspected leader was a 16-year-old from Oxford who went by White and Breachbase.

Between February and March 2022, LAPSUS$ went on a rampage. They hit Nvidia and stole a terabyte of data. Leaked credentials for 70,000 employees. They breached Microsoft and took 37 gigabytes of source code for Bing. Then Samsung. 190 gigabytes of internal files. Then Okta, the identity company that protects thousands of other businesses. Then Ubisoft, Globant, Vodafone.

They weren't quiet about it. They posted everything on public Telegram channels. They joined Zoom calls at companies they'd breached to mock the security teams. They were extremely bold and cocky

How These Groups Work

These aren't traditional criminal organizations. Theres no hierarchy. No formal leadership. Just loose networks on Telegram and Discord. Hundreds or thousands of members. Mostly young and mostly from English-speaking countries.

They share techniques, trade access to compromised networks and collaborate when it's useful. But there's no structure. You can't cut the head off because there isn't one. Arrest ten people, twenty more keep operating under different names.

Inside LAPSUS$, Jubair went by Amtrak and Asyntax. At one point he told the group leader not to post T-Mobile's logo in their chats. His parents had already busted him once and he didn't want them getting suspicious again.

The leader responded by doxxing him. He posted Jubair's real name, phone number, and all his aliases in a public Telegram room.

UK police arrested seven LAPSUS$ members in March 2022. Jubair wasn't among them. He had already cut ties and moved to other operations.

Around 2023, Jubair became an integral member of Scattered Spider. Security researchers who tracked the group say he was one of the four principal operators. One of the two most core players.

Scattered Spider specialized in one thing: calling IT help desks.

They'd research a target company for weeks. Scrape LinkedIn for employee names, departments, organizational structure. They would monitor employee’s social media accounts. Gathering as much information as possible to build a profile.

Then they'd call. "Hey, this is Michael from accounting. Im working from home, and I can't seem to access my email. My phone's not getting the authentication codes. I don’t know whats going on. Can you reset my password?"

Simple. Believable. Helpdesk workers get these calls constantly. The caller knew the employee's name. Knew their department. Sounded legitimate. Why wouldn't they help?

If the first call fails, they'd note what security questions were asked. Research the answers. Call back to a different help desk worker on a different shift. They kept trying.

Once inside the network, they'd steal data and encrypt everything they could. Then demand millions in Bitcoin. “Pay or we release your data and you never get it back”

Between May 2022 and September 2025, Jubair participated in at least 120 attacks. 47 were American companies. Two paid over $25 million each. Another paid $36 million. Total ransoms collected: over $115 million.

Jubair wasn't just a member. Security researchers say he was one of the four principal operators. One of the two most core players. That meant he ran infrastructure. Managed servers. Controlled the cryptocurrency wallets where ransom payments landed.

January 8, 2025. They called the U.S. federal court system's help desk. Got someone to reset a password and took over three accounts. One belonged to a magistrate judge.

They searched the judge's email for specific terms. "Subpoena." "Scattered Spider." Names of hackers facing charges. They wanted to know what law enforcement knew about their operation.

The FBI had been tracking them for years. Following the money. Bitcoin isn't anonymous. Every transaction is recorded on a public blockchain. Permanent. Traceable.

They traced ransom payments from victims to cryptocurrency wallets on servers Jubair controlled. $36 million sitting there. This wasn’t his personal fortune, it was operational money. Ransom payments waiting to be distributed amongst the group. He was essentially the treasurer.

The Mistake

Here's where it gets stupid. Jubair had $36 million in cryptocurrency under his control. Other hackers trusted him with the infrastructure. He managed ransom payments from Fortune 500 companies. He was running operations for 120 cyberattacks.

But he used some of that cryptocurrency to buy gift cards. Gaming gift cards registered to his real name and food delivery gift cards for takeout.

Not luxury cars. Not real estate but pizza and video games. Regular teenager stuff.

The FBI followed the trail. Cryptocurrency from a $25 million ransom payment traced to an Uber Eats order at his East London apartment.

Security researchers said Jubair was "extremely careful." Amnesiatic operating systems. Multiple VPNs. Elaborate precautions. Then he linked his real name to traceable crypto for pizza smh.

July 2024: FBI Server Seizure

FBI agents seized Jubair's servers. They had everything. Chat logs. Stolen data. Cryptocurrency wallets with ransom payments. While they were seizing the servers, Jubair transferred $8.4 million to another wallet.

But they couldn't arrest him. He was in London. FBI has no arrest authority in the UK. They needed UK cooperation.

Building an extradition case takes time. Six countries coordinating. Tracing every transaction. Connecting all 120 attacks. Making it airtight.

Security researchers knew his identity. They'd connected all his online personas. Everlynn. Amtrak. Asyntax. Earth2Star. Brad. Austin. @autistic. All the same person. They were frustrated. "Officials knew who he was a year ago," one researcher said.

August 2024: UK Gets Jurisdiction

Scattered Spider targeted Transport in London. The city's public transit system. They compromised thousands of customers' personal data costing nearly £40 million to recover from.

That gave UK authorities their own case. Their own charges. Now they had jurisdiction to arrest him on UK soil.

September 16, 2025: The Arrest

UK authorities arrested Jubair at his East London apartment. He was 19 years old.

The operation required coordination between six countries: United States, United Kingdom, Netherlands, Romania, Canada, Australia.

Jubair now faces up to 95 years in prison if convicted and extradited to the United States.