Scattered Spider Hackers Plead Guilty: SIM Swapping Threats

Scattered Spider members plead guilty in UK over TfL cyberattack

Scattered Spider Hackers Plead Guilty: SIM Swapping Threats

Scattered Spider hackers pleaded guilty this week, highlighting the ongoing risk of SIM swapping threats. This case underlines the urgent need for organisations to strengthen their identity and telecom controls.

What Happened in the Scattered Spider Case

In June 2026, two UK-based members of the notorious Scattered Spider group admitted guilt in court for their role in a high-profile cyberattack against Transport for London. The attack disrupted the city’s public transport systems, raising concerns about critical infrastructure security. Both hackers, Thalha Jubair and Owen Flowers, were also linked to breaches of major UK retailers and US healthcare providers.

Jubair and Flowers’ guilty pleas arrived on the first day of trial, cutting short proceedings expected to last six weeks. The charges included unauthorised access to computer systems and causing risk to human welfare. US prosecutors revealed Jubair was wanted for wire fraud, money laundering, and over 120 network intrusions, with victims paying more than $115 million in ransom.

The group targeted high-profile organisations, including Marks & Spencer, Harrods, Co-op Group, SSM Health Care, and Sutter Health. They also disrupted Las Vegas casinos operated by MGM Resorts and Caesars Entertainment. Scattered Spider’s tactics centred on telecom and identity attacks, including SIM swapping and phishing schemes.

Understanding SIM Swapping and Phishing Tactics

The Scattered Spider group exploited weaknesses in telecoms and identity management, employing SIM swapping as a primary method. SIM swapping is a cybercrime technique where attackers manipulate mobile providers to transfer a victim’s phone number to a device they control. This enables interception of calls, texts, and multi-factor authentication codes, giving attackers access to sensitive accounts.

Voice and SMS Phishing Explained

Scattered Spider used voice and SMS phishing to steal credentials from telecom employees. By impersonating trusted sources, they tricked staff into divulging login details or granting access to internal systems. These credentials allowed the group to redirect phone numbers and intercept security codes, bypassing multi-factor authentication.

  • Voice phishing (vishing): Attackers call employees, posing as colleagues or IT staff, to obtain sensitive information.
  • SMS phishing (smishing): Fraudulent text messages prompt employees to click malicious links or share credentials.
  • MFA code interception: Once a number is swapped, attackers receive one-time codes meant for legitimate users, enabling unauthorised access.

SIM Swapping’s Impact on Enterprise Security

SIM swapping has become a significant liability for organisations relying on SMS-based security. Attackers can bypass authentication, steal confidential data, and extort victims. Scattered Spider’s successful attacks demonstrate how telecom vulnerabilities can threaten critical infrastructure, retail operations, and healthcare providers.

Why the Scattered Spider Case Matters

This case is a wake-up call for organisations across sectors. Scattered Spider’s guilty pleas confirm the real-world impact of SIM swapping and phishing, especially when combined with social engineering. Their attacks targeted well-known brands, disrupted vital services, and led to substantial ransom payments.

The group’s methods show that traditional identity and telecom controls are insufficient against modern threats. Attackers manipulate human error and exploit weaknesses in multi-factor authentication, bypassing security measures many companies rely on.

  • Critical infrastructure risk: Attacks on public transport and healthcare reveal vulnerabilities in essential services.
  • Reputational damage: High-profile breaches harm brand trust and customer confidence.
  • Financial loss: Ransom payments and operational disruption can cost millions.
  • Regulatory scrutiny: Organisations face increased oversight after major incidents.

How Organisations Can Defend Against SIM Swapping Threats

To counter SIM swapping and related attacks, organisations must review their security strategies. Telecom and identity controls should be strengthened to reduce risk. Here are key steps for defending against these threats:

Strengthening Identity and Telecom Controls

  • Adopt app-based multi-factor authentication (MFA) instead of SMS codes wherever possible.
  • Educate staff about phishing and social engineering, including vishing and smishing tactics.
  • Implement strict procedures for managing mobile accounts, including verification steps for number changes.
  • Monitor for unusual activity on employee accounts, especially changes to phone numbers or credentials.
  • Engage with telecom providers to secure employee accounts and reduce risks from SIM swaps.
  • Review incident response plans to ensure rapid containment and recovery in the event of a breach.

Building a Resilient Security Culture

Security awareness is vital. Regular training helps employees recognise and report phishing attempts. Organisations should foster a culture where staff feel comfortable reporting suspicious activity, even if it turns out to be a false alarm.

Collaborating with Providers and Authorities

Work closely with telecom providers to implement additional protections, such as PINs on accounts. Maintain relationships with law enforcement and cybersecurity experts to stay informed about emerging threats and best practices.

Conclusion: Lessons from the Scattered Spider Guilty Pleas

The guilty pleas of Scattered Spider hackers highlight the evolving risks posed by SIM swapping and phishing. Organisations must harden identity and telecom controls, adopt stronger authentication methods, and educate staff to stay ahead of attackers. By taking proactive steps, companies can reduce exposure to these persistent threats and protect critical assets from cybercrime groups.

Originally reported by krebsonsecurity.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
Author
Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO
Jonny Pelter
Category
Published
Jun 23 - 2026
Post Tags
  • cybercrime
  • identity security
  • phishing
  • sim swapping
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call