appliedbits
FIELD NOTES PUBLISHED
PUBLISHED 2026-06-26

Scattered Spider's guilty pleas, and the phone-channel through-line

Krebs on Security  ·  Brian Krebs  ·  June 23, 2026  ·  source ↗

Two members of Scattered Spider pleaded guilty on the first day of what was meant to be a six-week trial, Brian Krebs reports: Thalha Jubair, 20, and Owen Flowers, 18, over the 2024 attack that crippled Transport for London. The headline is ransomware, but the relevant detail for this beat is the toolkit underneath it.

Per U.S. prosecutors, Jubair co-ran “Star Chat,” a SIM-swapping crew that used voice- and SMS-based phishing to steal credentials from employees at the major U.S. and U.K. wireless carriers, then sold a service to redirect a target’s number to an attacker-controlled device and intercept calls and texts — including the one-time codes guarding multi-factor authentication. The same group’s 2022 smishing spree harvested single sign-on credentials from employees at hundreds of companies, with downstream intrusions at LastPass, DoorDash, Mailchimp, Plex, and Signal. And one of Jubair’s teenage personas, “Everlynn,” sold fraudulent emergency data requests — using compromised police and government email accounts to extract subscriber data from tech companies without a court order.

That’s the whole fraud-channel cross-cut in one indictment: vishing the help desk, swapping the SIM, defeating MFA, and impersonating the authority that’s supposed to verify identity. None of it is exotic; it’s social engineering aimed at the seams between a carrier, its employees, and the trust other systems place in a phone number. The enforcement wins are real — Buchanan, Urban, now Jubair and Flowers — but the pattern is a standing argument for why caller and customer authentication has to be hard at the carrier edge, where these crews keep finding the soft entry point. Sentencing is set for July 15.

Tagssim-swapvishingidentity-theftscattered-spider