Hungry hacker who hit London's transport network busted after food delivery order
Talk about an expensive meal.

Image by Cybernews
- A routine takeaway order became the fatal slip that unraveled one of the UK's most notorious young hackers.
- Thalha Jubair, 20, has admitted to a £29m cyberattack on TfL that disrupted 10 million commuters.
- Attack is linked to Scattered Spider, the group behind hacks on Harrods, M&S, and Co-op that left supermarket shelves bare.
- Despite 22 prior convictions, Jubair still evaded capture for a full year after the TfL attack until he was wrong-footed by food order
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
An order from an unnamed food delivery service to the flat he shared with his parents was all it took to bring down one of the UK's most notorious Scattered Spider hackers.
Last month, 20-year-old Thalha Jubair and 19-year-old Owen Flowers admitted they carried out a cyberattack on Transport for London (TfL), causing £29 million in damage and affecting 10 million commuters.
While police arrested West Midlands-based Flowers soon after the attack, it took another year to build up a case against London-based Jubair, despite a previous juvenile conviction for hacking as part of the Lapsus$ group and several harassment and stalking charges.
The UK’s National Crime Agency (NCA) said that both men, who were teens at the time of the attack, were linked to the cybercrime group Scattered Spider, which has been associated with several high-profile attacks, including attacks on UK retailers Harrods, M&S, and Co-op, which left supermarket shelves bare.
Prior to their sentencing, more details are emerging about how law enforcers and security experts linked Jubair to Scattered Spider.
Hungry for more
Despite running an elaborate setup of "amnesiac" operating systems and VPNs, Jubair spent some of the millions he'd extorted from global organizations on takeout ordered from the bedroom of his parents’ East London council flat.
According to the independent journalist-run newsite, Londoncentric, which has been covering the case for over a year, Jubair had the food delivered to the high-rise block, buying gift vouchers from an unnamed food delivery service using a cryptocurrency wallet.
Unfortunately for Jubair, the wallet was hosted on the same server that he and his fellow hackers used to store tens of millions of dollars worth of bitcoin they’d taken in ransoms paid by major US companies.
In addition to buying food delivery vouchers, he also allegedly made the mistake of topping up his gaming account using funds from the same server as the ransom proceeds.
According to Dray Agha, senior manager of security operations at Huntress, the attackers committed the cardinal sin of operational security.
“A highly traceable, everyday transaction like a food delivery should not have been paid for with the same medium they had their criminal gains stored."Dray Agha, senior manager of security operations, Huntress
“This amateur move handed law enforcement a direct bridge from the anonymous internet infrastructure to their front door. Whilst slick in online crime, it seems that other facets of the criminal life were a bar too high for Jubair," he added.
US links
Jubair has also been accused by the US Department of Justice of involvement in a series of cyberattacks targeting 47 US organizations and earning more than $100m (£75m) in ransom payments.
In one example cited in US legal filings, the teenage Jubair allegedly negotiated a $25m (£18m) ransom payment in cryptocurrency from a single unnamed US company, while promising to pay a co-conspirator a share of the proceeds.
According to Londoncentric, a major hack of Las Vegas casinos has also been linked to Jubair, who also operated under usernames such as “EarthtoStar,” “Brad,” and “Austin.”
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
Prosecutors told the UK courts that more than £200m had at some point flowed through cryptocurrency wallets controlled by Jubair.
The young Londoner is believed to have entered hacking through gaming.
A keen participant in several SIM Swap operations and IT helpdesk scams, Jubair ultimately joined the Scattered Spider, a notorious cybercriminal collective primarily consisting of native English-speaking young adults and teenagers from the US and UK.
Previous charges
Prior to the TfL attack, Jubair had a criminal record in the UK for hacking as part of the Lapsus$ hacking group and was well known to the authorities.
He was handed an 18-month youth rehabilitation order in December 2023, which he was still subject to when he hacked TfL
Jubair was also sentenced for what the judge described as an “unpleasant and frightening pattern of stalking and harassing” two young women.
Strong password generator
In total, he had 22 previous convictions, including 13 for fraud and one for blackmail.
It has also been reported that Jubair is autistic and suffers from depression.
Last week Cybernews reported that another teen, Peter Stokes (aka "Bouquet"), who is accused of being part of Scattered Spider, was extradited from Finland to the US and is now facing multiple federal hacking and fraud charges.
Stokes, who hid behind VPNs, remote connections, and rotating IP addresses, was caught out by Windows Telemetry when Microsoft accurately fingerprinted his PC and exposed the hacker via the persistent GDID identifier.