Fact check: What were the specific cybercrimes allegedly committed by those arrested in the UK?

1. What the headlines allege about the teen suspects — a concentrated criminal campaign with global reach

Reporting identifies Thalha Jubair and Owen Flowers as teenage members of the Scattered Spider hacking group, arrested in the UK in September 2025 in connection with a high-profile August 2024 breach that disrupted Transport for London services. News accounts note that authorities view the pair as participants in a yearslong campaign of ransomware and data extortion attributed to Scattered Spider, linking the group to a pattern of targeted intrusions against businesses and public infrastructure ^{[1] [3]}. These pieces emphasise the alleged operational role of the teenagers within a broader criminal enterprise rather than isolated acts.

2. What US charges add — sweeping accusations in a DOJ complaint

U.S. Department of Justice filings against Thalha Jubair expand the scope: the complaint alleges conspiracies to commit computer fraud, wire fraud and money laundering tied to at least 120 network intrusions, extortion of 47 U.S. entities, and ransom payments exceeding $115 million. These formal allegations frame the activity as sustained and commercially oriented cybercrime, alleging organized exploitation of victims across sectors and jurisdictions, and potentially facilitating cross-border law enforcement action and extradition considerations ^[2].

3. The Transport for London incident — operational disruption and investigative focus

UK National Crime Agency statements link the arrests to an August 2024 cyberattack that affected Transport for London, presenting the incident as part of the same Scattered Spider activity. Reporting highlights that the NCA suspects the teenagers of participation in an attack causing tangible public-service disruption, and notes one of the suspects was also charged domestically with failing to surrender PINs and passwords for devices seized by investigators — an evidentiary and procedural detail that may affect prosecutorial strategy ^[3].

4. The separate West Sussex arrest — aerospace, airports and an evolving probe

A different arrest in West Sussex involved a man in his forties taken on suspicion of offences under the Computer Misuse Act after a cyber incident affecting Collins Aerospace, which in turn disrupted electronic systems at Heathrow and other European airports. Authorities described the investigation as at an early stage, with that suspect released on conditional bail while police and the NCA continue inquiries into software compromise and operational impacts across major airports ^{[4] [5]}.

5. Competing hypotheses on perpetrators for the aerospace incident — range of possible actors

Analysis accompanying coverage of the airports incident underscores uncertainty about attribution: experts suggest hackers, criminal organisations, or state actors could be responsible for the Collins Aerospace disruption. This commentary highlights both technical ambiguity in early-stage forensics and the policy stakes of premature attribution; investigators have not publicly closed the question of motive or actor type, leaving open distinct legal and national-security responses depending on findings ^[6].

6. Context of wider UK enforcement actions — large seizures and follow-up operations

These arrests occur against a backdrop of intensified UK law enforcement activity targeting cyber- and financial crime, including Operation Venetic’s dismantling of organised crime networks and recent reporting of a £5.5 billion Bitcoin seizure tied to a large-scale fraud. Coverage links broader NCA efforts to disrupt encrypted communications and money-laundering pipelines, illustrating that the Scattered Spider-related arrests are part of a multi-pronged enforcement posture addressing both technical intrusion and financial proceeds ^{[7] [8] [9]}.

7. How the sources compare — dates, emphases and gaps

The sources converge on key facts: teen arrests tied to Transport for London (Sept 18–19, 2025 reporting) and a West Sussex arrest linked to Collins Aerospace and airport disruptions (Sept 24, 2025 reporting). Divergences are noteworthy: DOJ filings provide detailed counts and monetary claims ^[2], while UK reporting focuses on operational disruption and procedural charges like refusal to surrender device credentials ^[3]. The airport-related pieces emphasise investigatory uncertainty and possible state-actor hypotheses ^{[4] [6]}. All outlets acknowledge investigations remain active, and none claim final legal determinations ^{[1] [5]}.

8. Bottom line for readers — allegations, not convictions, and enforcement trends

Taken together, reporting alleges a constellation of cybercrimes: ransomware, data extortion, computer misuse, wire fraud, money laundering, and large-scale network intrusions, with both teenagers and an adult suspect detained in separate UK probes that have transatlantic and pan-European dimensions. These are formal allegations at present; prosecutions and forensic attribution remain ongoing. The broader pattern shows UK and US agencies targeting both operational perpetrators and the financial proceeds of cybercrime, reflecting an intensified cross-border law enforcement response ^{[2] [8]}.