The teenage millionaire hacker from London who was brought down by a takeaway order

45 points by Dreaming_Blackbirds 12 hours ago on reddit | 1 comment
Illustration by Carly A-F for London Centric

It was the takeaway order to his family’s Tower Hamlets flat that proved to be Thalha Jubair’s undoing.

Last month the young Londoner pleaded guilty to taking down Transport for London’s computer systems in one of the worst cyberattacks in British history, an event which brought months of chaos to the capital’s transport network in late 2024.

Jubair thought he had covered his tracks through an elaborate system of amnesiac operating systems and virtual private networks. These not only allowed him to cause mass chaos in his home city of London but also allegedly enabled him to extort tens of millions of dollars in ransom payments from US companies.

Then he got hungry.

According to US prosecutors, the then-teenage Jubair made the mistake of deciding to order a takeaway. To do this, he bought gift vouchers for an unnamed food delivery service using a cryptocurrency wallet. This wallet hosted on the same server he and his fellow hackers allegedly used to store tens of millions of dollars worth of Bitcoin they’d taken in ransoms paid by major US companies.

Jubair then had the takeaways delivered to the flat where he lived with his parents, which is located in a high-rise block next to a Met Police call handling centre near Bow Road tube station in east London.

This was one of the clues which led to Jubair’s arrest last September, after a major investigation by the National Crime Agency, City of London Police, and the FBI. He was charged with committing unauthorised acts against TfL under the Computer Misuse Act, causing at least £39m in damage to TfL and months of disruption to the capital’s transport network. London Centric was in Woolwich Crown Court last month as the unassuming 20-year-old, who appeared awkward in glasses and a badly fitting grey suit, unexpectedly changed his plea to guilty at the last minute, alongside his Walsall-based co-defendant Owen Flowers.

Flowers (left) and Jubair (right) in Woolwich Crown Court last month.

So who is the TfL hacker? By attending court appearances, reviewing Telegram messages, and interviewing cybersecurity experts, London Centric has pieced together Jubair’s journey from a Roblox-playing east London child to a criminal mastermind who allegedly extorted tens of millions of pounds from his bedroom as part of the Scattered Spider cybergang.

His is the story of a very modern London adolescence.

The flight risk who took down a transport system

It was by compromising the account of a single employee that Jubair was able to hack into TfL’s systems in late August 2024, catastrophically damaging the transport authority’s ability to manage its own systems. At an early court hearing last September, the prosecutor said that the “ultimate objective of the attack was to install ransomware”.

Although buses and tubes were kept running, one TfL executive described the behind-the-scenes situation to London Centric as “an utter shitshow”, with hundreds of thousands of holders of discount travel cards affected.

The booking system for the Dial-a-Ride buses used by people with disabilities was shut down, and data on live tube times for apps such as TfL Go and Citymapper was taken offline.

The block of flats where Jubair ran his hacking operation.

Hundreds of thousands of Londoners were overcharged for using the network, and many of the capital’s teenagers were unable to access free travel, leaving some without the means to get to work or college. Sadiq Khan later told London Centric that some passengers would never be refunded.

TfL commissioner Andy Lord described the incident as a “highly sophisticated” cyber attack that could have been much worse. Staff at TfL’s HQ were unable to log on to the IT network, WiFi was taken down, and office-based staff were sent to work from home for the whole of September. When they returned, every TfL staff member had to travel into the office to have their login details reset. City Hall had just outsourced its IT to TfL meaning everyone from the mayor downwards had their work systems affected. Projects ranging from the extension of the contactless payment scheme to commuter stations to the rebranding of the London Overground lines were delayed.

Flowers, the teenager from Walsall, was arrested soon after. But it took another year for Jubair, who was portrayed in US court documents as a mastermind of the group, to be charged. We now know that the incident, which cost TfL £39m, and in which 10 million people’s data was stolen, was in part orchestrated from the bedroom of Jubair’s east London flat.

Paul Foster, the head of the National Crime Agency’s cyber crime unit, said the “profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries”.

A picture of Jubair from a leaked dossier known as Com Cast. Source: Brian Krebs

At a pretrial hearing last September that London Centric attended, the court heard Jubair had been asked to hand over his PINs and passwords but had declined. It was also said that, despite being ordered to hand over his travel documents, including his UK passport, he was found to have retained a Bangladeshi passport, raising concerns he was a flight risk.

Despite this, on the first day of what was scheduled to be a six-week trial, Jubair and his co-defendant Flowers pleaded guilty to the TfL hack, on the lesser basis that they had not “intended” to cause damage. Instead, the duo accepted they had been “reckless as to whether damage was caused”.

In court, it was difficult at points to believe that the awkward young person with greasy hair seated behind a glass screen was a crypto multimillionaire who’d been able to terrorise some of the biggest companies in the US and extract massive cryptocurrency ransoms, sometimes using the username @autistic.

Unlike Flowers, who often had no family present in the public gallery, Jubair’s parents appeared at every court hearing, sometimes even waving to their son. His father had the same thick-rimmed glasses and black hair as Jubair. His mother and father stuck together in the court waiting area, speaking softly and anxiously to each other, while his mother was at points openly emotional.

This article took more than a year to report, with journalists on the ground across London. Want more original investigative like this one in your inbox? Join the London Centric mailing list for free. No spam.

“He kept to himself”

Born in 2006, Jubair first entered the world of cybercrime while living with his parents in the family’s east London flat. The 22-storey tower block where he grew up is typical of many London local authority neighbourhoods, overlooking a park and play area, and opposite a primary school. It is an unlikely headquarters for a millionaire cyber criminal.

“He went to school, came home, and that’s it,” said one neighbour. “You wouldn’t see him in the park. He kept to himself.”

He might have lived in east London, but his real home was the virtual world he accessed inside his bedroom. Like many hackers, he came through gaming, where he began winding up fellow players and stealing their usernames.

“It’s common [for hackers] to be recruited in their early teens on gaming platforms like Minecraft and Roblox,” Brian Krebs, a cyber security reporter who has traced Jubair’s hacking career, told London Centric. Jubair ultimately joined the Scattered Spider hacking group, which has been linked to last year’s hacks on M&S, the Co-op, and Harrods that left shelves bare in British supermarkets. This is in turn part of a broader loose-knit underground network of children and teenagers known as “The Com”, an online term short for “community”.

Authorities believe Jubair was 14 years old when he began offending, moving away from gaming into what was to be the initial hallmark of his career as a cybercriminal: SIM-swapping. This is when an individual’s mobile phone number is redirected to a hacker, enabling authentication codes to be sent directly to criminals.

The approach was so successful that by 2022, Jubair was allegedly helping to run a channel on the messaging app Telegram called Star Chat selling SIM-swapping services to other hackers, with a focus on targeting employees at US phone network T-Mobile. Over seven months in 2022, Star Chat gained access to T-Mobile over 70 times. Similar tactics were used on British operators.

Keen to get their hands on other people’s cryptocurrency, teenage hackers such as Jubair realised that they didn’t need to rely on sophisticated coding to hack into someone else’s crypto account. Instead, they could simply talk their way in by taking control of the person’s phone number and resetting their password.

Looking at cryptocurrency conference attendance sheets, crypto investors in the news, and leaked lists of crypto holders, they’d draw up a list of targets whose accounts they planned to take over. Then, someone in the hacking group would play the role of “caller,” which meant ringing up a phone company and convincing them to transfer a target’s phone number to a phone in their possession, enabling them to then intercept incoming two-factor authentication and password reset links.

Internal messages uncovered by Krebs show Jubair allegedly asking other hackers not to share the T-Mobile logo in messages to him, as it would make his parents suspicious if they saw it on his screen: “Parents know I simswap. So, if they see [that] they think I’m hacking.”

Messages allegedly sent by Jubair under the username ‘Amtrak’.

Jubair and his associates later moved on to social engineering tactics and ransom work, allegedly targeting some of the biggest companies in the world while working with Russian hackers. This often involved phoning up IT helpdesks and requesting passwords to be reset, gaining access to accounts, then demanding vast ransoms to be paid in Bitcoin to allow the company to continue to function. Many paid vast sums in order to get their businesses back up and running.

The total proceeds of crime allegedly attributed to Jubair are astonishing. US prosecutors linked him and his associates to at least $115m (£86m) in ransom payments. In one example cited in US legal filings, the teenage Jubair allegedly negotiated a $25m (£18m) cryptocurrency ransom payment from a single unnamed US company, while promising to pay a co-conspirator a share of the proceeds. Millions of pounds in ransom payments following a major hack of Las Vegas casinos were linked to Jubair, who also operated under usernames such as “EarthtoStar”, “Brad”, and “Austin”.

In total, prosecutors told the UK courts more than £200m had at some point flowed through cryptocurrency wallets controlled by the Tower Hamlets resident during his teenage years.

When fellow Scattered Spider member Noah Urban was in US custody awaiting trial, court documents allege that Jubair hacked the US federal court system by contacting the help desk, impersonating the relevant judge, asking for a password reset, then gaining entry to the judge’s email account.

The trial alongside the Grand Theft Auto 6 hacker

Even before the TfL attack, Jubair had a criminal record in the UK for hacking as part of the Lapsus$ hacking group and was well known to the authorities.

One neighbour told London Centric that he’d seen the police conduct a raid on the family’s flat around four years ago at 4pm, when school finished for the day, with police taking Jubair away in his school uniform.

In 2023 Jubair sat alongside Arion Kurtaj in Southwark crown court as part of the Lapsus$ hacking case, which involved attacks on tech companies including Nvidia and BT. Kurtaj became notorious for hacking into Rockstar Games and leaking unreleased footage of the forthcoming Grand Theft Auto 6 computer game.

At the time Jubair could not be identified due to his age but it can now be reported that at the end of the trial he was handed an 18-month youth rehabilitation order in December 2023, which he was still subject to when he hacked TfL. According to a contemporary BBC report by reporter Joe Tidy, Jubair was given a three-month intensive supervision and surveillance requirement, and a ban on using VPNs online. Jubair was also sentenced for what the judge described as an “unpleasant and frightening pattern of stalking and harassing” two young women. In total he had 22 previous convictions, including 13 for fraud and one for blackmail.

A picture of Jubair from a leaked dossier known as Com Cast. Source: Brian Krebs

Professor Peter Sommer, who gave expert evidence in the Lapsus$ trial, told London Centric that the “puzzle” is that Jubair “embarked on this further round of hacks” after sitting through proceedings.

“During his trial [...] it must have been abundantly clear the capabilities of law enforcement investigations. It must have been obvious that in any similar future events he would be under suspicion and surveillance.”

This did not faze the young Londoner, who within a year of the court case was trying to bring down the capital's transport infrastructure.

“Even his neighbours didn’t know what was going on”

As many of the building’s inhabitants were heading out for Friday prayers, London Centric knocked on doors in the block where Jubair grew up. Most neighbours, even those who’d lived there for decades, didn’t know the Jubair family, with some only learning about the multiple police raids that had taken place in the building through London Centric’s enquiries.

Younger residents were more aware of his story, with one 17-year-old telling us he used to go swimming with Jubair.

“It’s a building where everyone knows everything,” said one resident who’d lived there his whole life. “But even his neighbours didn’t know what was going on, even though they saw he got raided.”

Unlike other members of Scattered Spider, who used their stolen cryptocurrency to purchase a $35,000 diamond-encrusted Rolex and Louis Vuitton trainers, neighbours said Jubair looked normal and unassuming. He is autistic and also suffers from depression. The only remark on his appearance was that he always wore a hat. In addition to buying food delivery vouchers he also allegedly made the mistake of topping up his gaming account using funds from the same server as the ransom proceeds.

On another occasion around two years ago, one neighbour said he saw four older boys wearing Gucci clothing snatch a laptop from Jubair in the carpark outside the tower block: “His mum must have called his dad, because he skrrted up in the Prius. The dad was chasing after [Jubair].”

Despite the magnitude of Jubair’s crimes, which affected many of the residents of the block who were unable to travel due to the TfL hack, several neighbours expressed astonishment at his skills. One resident described him as a “genius” while another said they believed Jubair was probably only a “runner” for a larger criminal network who were using him as a “fall guy.” Others said the family have now moved out, with suggestions that “fake police” had previously been sent to their door in a potential bid to extort cryptocurrency.

The view from Jubair’s block of flats.

After learning Jubair got into cybercrime through gaming, one resident mused: “I’m going to get on Roblox.”

Jubair will be sentenced on 16 July, alongside Flowers, for his role in the TfL attack. Although he still faces multiple serious charges in the US, there is no indication as yet that the US authorities are actively pursuing extradition proceedings against him.

Drawing on his own experiences of the youth justice system, one resident of the block told London Centric the judge would give him a lenient sentence, given the age at which he’d become a hacker.

One big question remains. What happened to the proceeds of Jubair’s crimes?

The server used by Jubair to buy his takeaway voucher held $36m (£27m) in cryptocurrency when the authorities seized it in mid-2024. A further $8.4m (£6m) had been moved while the authorities were in the process of taking control of the server, much of which has yet to be traced. This means that somewhere out there, yet to be identified by the police, is cryptocurrency linked to Jubair that is worth millions of pounds.

On hearing the vast sums of money Jubair allegedly controlled while living in the east London block, one teenage neighbour jokingly expressed admiration: “Allah, can he not get us all out of the hood.”

Did you enjoy this piece? Please support London Centric by sharing it with your friends, linking to it on social media, or posting a link to it in your favourite WhatsApp group.

Leave a comment