Scattered Spider Members Flowers and Jubair Enter Guilty Pleas Day One in TfL Attack

Flowers and Jubair admitted unauthorized access to TfL networks and separate intrusions into U.S. healthcare providers SSM Health and Sutter Health. Prosecutors tied Jubair to the Star Chat Telegram channel that facilitated SIM-swapping via compromised T-Mobile and other carrier tools, enabling MFA interception and credential theft. New Jersey indictments detail 120 intrusions across 47 entities yielding at least $115 million in ransom between 2022 and 2025.

The evidence trail shows Jubair, using handles Rocket Ace and Everlynn, ran SMS phishing campaigns in 2022 that harvested SSO credentials from over 130 organizations including LastPass and Signal. Flowers conducted media interviews post-MGM and Caesars incidents while both participated in UK retail attacks on Marks & Spencer and Co-op. Tyler Buchanan's April 2026 plea for $8 million in crypto theft from the same campaign confirms the operational pipeline.

These cases expose Scattered Spider's reliance on UK-based adolescents for social engineering layers that precede ransomware deployment. Official UK statements emphasize welfare risk while U.S. filings focus on financial proceeds; technical logs and Telegram receipts align more closely with the latter. Noah Urban's 2025 sentencing provides precedent for lengthy federal terms.

Jubair faces extradition proceedings and additional U.S. charges. Remaining members continue operations, with procurement records showing increased UK-NCA and FBI joint tasking on carrier access vectors through 2027.