Scattered Spider Hackers Plead Guilty — What Irish Businesses Can Learn

Two members of the notorious cybercrime group Scattered Spider pleaded guilty in a UK court this week on the first day of what was expected to be a six-week trial. Twenty-year-old Thalha Jubair of East London and 18-year-old Owen Flowers of Walsall admitted to conspiring to attack Transport for London’s computer systems in a ransomware campaign that caused widespread disruption across the capital’s transport network.

Their guilty pleas offer a rare glimpse inside one of the most prolific cybercriminal networks of the past three years — and some important lessons for Irish business owners who may think they are too small to be a target.

Who Were They Targeting?

Scattered Spider was not a lone wolf operation. Between May 2022 and September 2025, the group carried out over 120 computer network intrusions against 47 US entities, extracting at least $115 million in ransom payments. Their victims included Las Vegas casinos MGM Resorts and Caesars Entertainment, UK retailers Marks & Spencer and Harrods, and US healthcare providers. The group also hit T-Mobile, DoorDash, and Roku among many others.

But the group also targeted smaller victims. Their method was not about picking on big names — it was about finding weak security, regardless of company size. They specialised in SIM-swapping, a technique where attackers trick mobile phone providers into transferring a victim’s phone number to a device they control. Once they had the phone number, they could intercept SMS-based two-factor authentication codes and break into email, banking, and business systems.

The Lesson for Irish SMEs

The Scattered Spider case shows that even sophisticated cybercriminals start with the simplest attack: a convincing phone call or text message. The group’s SIM-swapping service was openly advertised on a Telegram channel called Star Chat, where they sold the ability to hijack phone numbers from major carriers for a fee. This was not a hidden dark web operation — it was a service openly marketed to anyone willing to pay.

For an Irish small business owner, the defence is straightforward but essential. Move away from SMS-based two-factor authentication. Use an authenticator app like Google Authenticator, Microsoft Authenticator, or a hardware security key like a YubiKey instead. A plumber in Cork who uses SMS codes to access their merchant account or booking system is exactly the kind of target Scattered Spider would have attempted.

What Justice Looks Like

Flowers admitted to being part of attacks on US healthcare providers SSM Health Care Corporation and Sutter Health. Jubair faces additional charges in the United States for computer fraud, wire fraud, and money laundering. Their arrests followed a coordinated effort between the UK National Crime Agency, the FBI, and international partners. The NCA described Scattered Spider as having caused “significant damage both financially and to essential services.”

The message for Irish businesses is not that the criminals have all been caught — they have not. But law enforcement is getting better at tracking these networks across borders. What matters is making sure your business is not the easy target they pick next while they remain active.

Three Steps to Take This Week

First, audit your authentication. If any business account — banking, email, cloud storage, booking system — still relies on SMS codes, switch to an authenticator app today. It takes ten minutes and costs nothing. Second, train your staff to recognise SIM-swap red flags: unexpected texts about SIM changes, suddenly losing phone signal, or being asked to confirm personal details by someone claiming to be from your mobile provider. Third, have a response plan. Know who to call if you suspect your phone number has been hijacked. Most mobile carriers in Ireland have dedicated fraud teams, but you need to have their number saved before you need it, not while you are locked out of your accounts.