A sprawling cybercrime investigation has thrown a spotlight on the vulnerabilities lurking within both major corporate networks and the seemingly innocuous world of loyalty rewards programs. In a case that has sent shockwaves through the cybersecurity and business communities on both sides of the Atlantic, authorities allege that a 19-year-old Londoner masterminded a sweeping campaign of digital extortion that targeted U.S. companies, federal institutions, and even everyday consumers’ rewards accounts.
Thalha Jubair, a teenager from East London, now faces a maximum sentence of 95 years in prison after being charged in a New Jersey federal court with computer and wire fraud, as well as three counts of conspiracy. The charges, unsealed in the week of September 15-21, 2025, detail a sophisticated scheme in which Jubair—allegedly operating under aliases such as “Austin,” “Brad,” and “EarthtoStar”—is accused of orchestrating a series of attacks as part of the notorious hacking collective known as “Scattered Spider.” According to the U.S. Department of Justice, the campaign ran from May 2022 to September 2025 and resulted in at least 120 computer networks being breached, including the U.S. federal court system itself.
The approach was as clever as it was audacious. Rather than relying solely on technical exploits, Jubair and his fellow conspirators allegedly used social engineering tactics—calling company help desks and convincing unsuspecting employees to reset passwords for accounts they did not own. Once inside, the hackers would either encrypt or steal sensitive data, threatening to delete or leak it unless the victims paid hefty ransoms. The scale of the operation was staggering: 47 unnamed U.S. companies, including airlines, manufacturers, retailers, five tech firms, and three financial services companies, reportedly fell victim to these attacks. Payments from these organizations totaled a jaw-dropping $115 million, with two financial services firms alone paying $25 million and $36.2 million in Bitcoin in 2023, according to prosecutors.
One of the most brazen incidents occurred on January 8, 2025, when Jubair allegedly targeted the U.S. Courts network. By tricking a help desk representative into resetting a password, Jubair is said to have gained access to two additional accounts, one of which belonged to a federal magistrate judge. Once inside, the hackers scoured the judge’s email for terms like “subpoena,” “scattered spider,” and the name of another alleged hacker facing charges. Another judge, who had presided over a related case, was also targeted, and the attackers reportedly stole 18 megabytes of data—including thousands of names, job titles, work locations, usernames, and cellphone numbers of court employees.
Jubair’s arrest was the product of close cooperation between U.K. and U.S. authorities. The U.K.’s National Crime Agency (NCA) and City of London Police apprehended Jubair at his East London home in September 2025. Alongside him, Owen Flowers, an 18-year-old from West Midlands, was also arrested. Both appeared in Westminster Magistrates Court, facing charges related to an August 2024 cyberattack on Transport for London, the government agency responsible for the city’s trains, buses, and the Underground. Flowers was also charged with conspiring to damage U.S. healthcare companies SSM Health Care Corporation and Sutter Health. The NCA said both teens were remanded into custody and that Jubair was additionally charged for refusing to disclose pins or passwords for his seized devices.
Authorities allege that Jubair’s involvement with Scattered Spider may have begun when he was as young as 15 or 16. The group’s tactics—combining technical know-how with psychological manipulation—underscore a broader trend in the world of cybercrime, where the human element is often the weakest link. The impact has been immense: not only did the attacks disrupt critical infrastructure and business operations, but they also exposed the personal data of thousands, raising concerns about privacy and the potential for further abuse.
“Jubair is alleged to have participated in a sweeping cyber extortion scheme carried out by a group known as Scattered Spider, which committed at least 120 attacks worldwide and resulted in over $115 million in ransom payments from victims,” said acting Assistant Attorney General Matthew R. Galeotti of the Department of Justice. “These malicious attacks caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, highlighting the significant and growing threat posed by brazen cybercriminals.”
FBI Special Agent in Charge Stefanie Roddy echoed these sentiments, emphasizing the importance of international cooperation. “The arrest of Thalha Jubair underscores an undeniable truth: no matter how elusive or destructive these cyber-criminal syndicates are, we will continue to pursue those who allegedly extort our businesses and ensure they are held accountable,” Roddy stated. She added that the charges “reflect extraordinary coordination with our foreign and industry partners and mark a decisive victory against cybercriminal gangs who thought they could cripple American industries, inflict hundreds of millions in losses, and hide behind a screen without consequence.”
While high-profile corporate and government breaches grab headlines, experts warn that everyday consumers are increasingly at risk—especially when it comes to loyalty rewards programs. According to a September 20, 2025, article published by e-KNOW, cybercriminals have turned their sights to these programs, which are often overlooked as potential targets because they typically don’t involve direct cash transactions. But as Adrianus Warmenhoven, a cybersecurity advisor at NordVPN, explained, the tangible benefits offered by loyalty programs—gift cards, discounted flights, and even concert tickets—make them attractive to hackers.
“Thinking that we are getting something for free weakens our efforts to protect accounts of loyalty programs we participate in,” Warmenhoven noted. He described several common schemes: fraudsters may create fake accounts to claim new customer bonuses, or use social engineering—such as phishing emails, calls, or texts—to take over legitimate accounts and drain accumulated points. In one notorious 2018 case, millions of frequent flyer miles from companies like Delta, British Airways, and Virgin Atlantic were stolen and sold on the dark web in batches for $1,000 or more.
To help consumers guard against these threats, Warmenhoven advises several practical steps: create strong passwords of at least 12 characters, avoid using public Wi-Fi unless protected by a VPN, regularly monitor rewards accounts for suspicious activity, watch out for phishing attempts, and steer clear of scam websites. “By keeping an eye on your account, you’ll be able to spot suspicious activity quickly and take immediate steps to secure your account,” he said.
The convergence of large-scale corporate hacks and the targeting of individual rewards accounts highlights a troubling reality: cybercrime is evolving, and no one—be it a multinational corporation or an everyday consumer—is immune. As law enforcement agencies ramp up efforts to track down and prosecute offenders, and as cybersecurity experts urge vigilance, the message is clear: the digital world is full of opportunities, but it’s also rife with risks.
In the end, the case of Thalha Jubair and the rise in loyalty program fraud serve as a stark reminder that the battle against cybercrime is ongoing, demanding both sophisticated defenses and everyday caution from all of us.
