FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
There are new available articles, click to refresh the page.
☐ β˜† βœ‡ Krebs on Security

UK Arrests Four in β€˜Scattered Spider’ Ransom Group

By: BrianKrebs β€” July 10th 2025 at 17:31

Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed β€œScattered Spider,” whose other recent victims include multiple airlines.

The U.K.’s National Crime Agency (NCA) declined verify the names of those arrested, saying only that they included two males aged 19, another aged 17, and 20-year-old female.

Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The FBI warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.

KrebsOnSecurity has learned the identities of two of the suspects. Multiple sources close to the investigation said those arrested include Owen David Flowers, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several MGM Casino properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.

Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles β€œbo764,” β€œHoly,” and β€œNazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from a September 2024 story about the group because he was not yet charged in that incident.

The bigger fish arrested this week is 19-year-old Thalha Jubair,Β a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname β€œEarth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel β€œStar Fraud Chat.”

In 2023, KrebsOnSecurity published an investigation into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.

Jubair allegedly used the handles β€œEarth2Star” and β€œStar Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.

Sources tell KrebsOnSecurity that Jubair also was a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.

In April 2022, KrebsOnSecurity published internal chat records from LAPSUS$, and those chats indicated Jubair was using the nicknames Amtrak and Asyntax. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.

As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.

In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.

That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity β€œEverlynn,” the founder of a cybercriminal service that sold fraudulent β€œemergency data requests” targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

The roster of the now-defunct β€œInfinity Recursion” hacking team, from which some member of LAPSUS$ hail.

Sources say Jubair also used the nickname β€œOperator,” and that until recently he was the administrator of the Doxbin, a long-running and highly toxic online community that is used to β€œdox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.

In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.

β€œThere is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said Allison Nixon, chief research officer at the New York based security firm Unit 221B. β€œCybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”

☐ β˜† βœ‡ The Hacker News

British LAPSUS$ Teen Members Sentenced for High-Profile Attacks

By: Newsroom β€” December 24th 2023 at 05:48
Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies. Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime "as soon as possible," BBC reported. Kurtaj, who is autistic, was
☐ β˜† βœ‡ The Hacker News

Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks

By: THN β€” September 18th 2023 at 03:16
The financially motivated threat actor known asΒ UNC3944Β is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed. "UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group,
☐ β˜† βœ‡ The Hacker News

Two LAPSUS$ Hackers Convicted in London Court for High-Profile Tech Firm Hacks

By: THN β€” August 25th 2023 at 13:52
Two U.K. teenagers have been convicted by a jury in London for being part of the notorious LAPSUS$ (aka Slippy Spider) transnational gang and for orchestrating a series of brazen, high-profile hacks against major tech firms and demanding a ransom in exchange for not leaking the stolen information. This includes Arion Kurtaj (aka White, Breachbase, WhiteDoxbin, and TeaPotUberHacker), an 18-
☐ β˜† βœ‡ Naked Security

Uber and Rockstar – has a LAPSUS$ linchpin just been busted (again)?

By: Paul Ducklin β€” September 24th 2022 at 22:57
Is this the same suspect as before? Is he part of LAPSUS$? Is this the man who hacked Uber and Rockstar? And, if so, who else?

☐ β˜† βœ‡ Naked Security

S3 Ep77: Bugs, busts and old-school PDP-11 hacking [Podcast]

By: Paul Ducklin β€” April 7th 2022 at 12:24
Latest episode - listen now! Cybersecurity news and advice in plain English.

☐ β˜† βœ‡ Naked Security

LAPSUS$ hacks continue despite two hacker suspects in court

By: Paul Ducklin β€” April 4th 2022 at 21:36
Do you know where in your company to report security anomalies? If you receive such reports, do you have an efficient way to process them?

☐ β˜† βœ‡ Naked Security

UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang?

By: Naked Security writer β€” March 25th 2022 at 01:48
Seven alleged hackers have been arrested in the UK. But who are they, and which hacking crew are they from?

☐ β˜† βœ‡ Naked Security

S3 Ep75: Okta hack, CryptoRom, OpenSSL, and CafePress [Podcast]

By: Paul Ducklin β€” March 24th 2022 at 13:49
Latest episode - listen now!

☐ β˜† βœ‡ Naked Security

Ransomware with a difference: β€œDerestrict your software, or else!”

By: Paul Ducklin β€” March 2nd 2022 at 16:33
"Change your code to improve cryptomining"... or we'll dump 1TB of stolen secrets.

❌