UK authorities recently apprehended a 19-year-old individual, Thalha Jubair, who is alleged to be a pivotal member of the notorious Scattered LAPSUS$ Hunters cybercriminal group. The arrest took place on September 16, as indicated by the U.S. Department of Justice (DoJ), which has since brought forth a range of serious charges against Jubair. These include conspiracies related to computer fraud, wire fraud, and money laundering, directly tied to over 120 instances of computer network breaches and extortion activities affecting 47 entities in the United States.
The Impact of Scattered LAPSUS$ Hunters
The DoJ’s announcement brings to light the extensive damage allegedly caused by Jubair and his associates, with ransom payments exceeding $115 million paid by numerous victims. This operation reflects the broader threat posed by the cybercrime collective known as Scattered LAPSUS$, which has affiliations with other factions like Scattered Spider and ShinyHunters. Recent reports suggest that this collective had decided to retreat from public view, yet there is evidence that they might already be re-engaging in malicious activities.
In particular, the Scattered LAPSUS$ Hunters are linked to significant cyber attacks, including those against Jaguar Land Rover and the Salesloft Drift campaign targeting Salesforce instances. The audacity of these attacks suggests that the group may have deemed it necessary to lay low temporarily while planning their next moves. This aligns with the broader network of cybercrime referred to as “The Com,” which has also been associated with various other identifiers, including UNC6040 and UNC6395, while Scattered Spider is tracked as UNC3944.
Jubair’s Alleged Role and Potential Consequences
Security expert Kevin Beaumont recently weighed in on social media, stating that Thalha Jubair has been instrumental in orchestrating major cyber incidents over the past five years, claiming that he has been operating effectively from a young age. This assessment highlights the considerable skill and audacity Jubair is believed to possess.
The repercussions of his activities are significant. According to the DoJ, Jubair could face a hefty prison sentence totaling up to 95 years if convicted on all charges. He has also been implicated in a separate investigation related to a computer intrusion targeting critical infrastructure in the UK. Following his arrest, both Jubair and another unidentified individual were set to appear in court to face the charges brought against them in the UK.
Charges and Criminal Activity Timeline
The U.S. charges against Jubair detail a series of alleged cybercrimes that purportedly began in May 2022 and continued through September 2025. During this period, he and his associates are accused of executing around 120 intrusions into various networks, including a diverse array of U.S. corporate victims. One of the most alarming aspects of the investigation is the tracking of ransom payments made to cryptocurrency wallets controlled by Jubair, particularly after they were linked to illicit funds originating from at least five victims.
Notably, during a law enforcement operation in July 2024 that aimed to seize evidence from Jubair’s server—resulting in the confiscation of approximately $36 million in cryptocurrency—evidence emerged that Jubair had managed to transfer a sum of $8.4 million, linked directly to one of the extorted victims, to another wallet. This action underscores the complexities and intricacies of cryptocurrency transactions within the sphere of cybercrime.
