dade72 - stock.adobe.com
Scattered Spider hackers sentenced over TfL attack
Owen Flowers and Thalha Jubair, the hackers behind the 2024 TfL cyber attack, have been sentenced to five-year prison terms at Woolwich Crown Court
Two members of the Scattered Spider hacking collective, Owen Flowers and Thalha Jubair, aged 18 and 20 respectively, have been sentenced to five years and six months each in prison at Woolwich Crown Court in London for their involvement in the 2024 cyber attack on Transport for London (TfL).
The Scattered Spider attack on TfL’s systems originated through social engineering targeting the organisation’s helpdesk. Although it did not halt London’s tube or bus networks, it caused severe disruption to technical services such as customers’ Oyster payment accounts and third-party application programming interfaces (APIs). To date, it has cost TfL almost £40m, and it has since emerged that data on 10 million travellers was stolen.
The NCA said that its impact was likely mitigated to some degree by TfL’s swift response – for which it has been widely praised – and the fact that the transit agency had undertaken a series of cyber wargames shortly prior to the attack.
Today’s sentencing marks the culmination of a major investigation involving the National Crime Agency (NCA), the City of London Police and partners from the US – including the FBI – and other countries.
Deputy director Paul Foster, head of the NCA cyber crime unit, hailed a significant moment for law enforcement cyber crime investigations. He said that the complexity and challenging nature of the probe likely surpassed the NCA’s successful takedown of the LockBit ransomware crew in 2024.
“This is the biggest ever criminal prosecution of cyber crime actors in the UK. It’s the culmination of nearly two years of painstaking, time-consuming and detailed investigatory work and risk management by NCA officers and our policing colleagues,” he said.
“Not only that [but] Scattered Spider has, over the last two years, been the biggest criminal cyber crime threat to the UK. Their activities and their impact has now been severely degraded as a result of this action that’s been taken. I have no doubt that UK citizens and interests are significantly safer as a result, and that applies to other countries around the world too.”
TfL commissioner Andy Lord added: “We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now been sentenced. The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL. We thank the hard work of our staff and of the National Crime Agency and partners for their investigations into this incident.”
Lengthy investigation
Flowers was first arrested for the TfL attack on 6 September 2024, mere weeks after the incident unfolded – although his identity was not officially revealed as he was a minor at the time. At that point, he was also found to be in the process of conducting a series of hacks against two US healthcare organisations named as SSM Health Care Corporation and Sutter Health.
Police seized devices including laptops, hard drives and USB sticks, and found evidence including screenshots of the TfL attack and videos Flowers had recorded of Jubair accessing TfL systems. The pair had also been messaging over Telegram and an unnamed online collaboration tool.
Flowers was later arrested again for breaching bail conditions relating to device usage, while Jubair was also charged for failing to hand over PINs and passwords from seized devices.
As the investigation progressed, Flowers and Jubair were again arrested on 16 September 2025 and were charged with various offences under Section 3ZA of the Computer Misuse Act of 1990 – which applies to situations where unauthorised acts cause or create a significant risk of serious damage, or the person intends or is reckless as to that damage.
Both men changed their pleas to guilty on 22 June 2026, the day they were due to stand trial.
Under the radar
Although millions of pounds worth of crypto assets flowed through accounts they controlled, unlike their peers in the Russian-speaking cyber criminal underground, neither Flowers nor Jubair were especially flashy with their ill-gotten gains.
Both young men came from comparatively normal backgrounds – Flowers, who lived with his grandmother and uncle, spent most of his time in his bedroom playing videogames and using online chat forums, and appears to have been motivated more by a desire for fame or notoriety within the community.
Meanwhile, Jubair, who is of Bangladeshi descent, lived with his mother and father, both employed as care workers, in a council flat in Bow, East London. Described as something of a loner, he too spent much of his time online and unsupervised in his room – according to US court filings, a significant breakthrough in the investigation came about when he made the mistake of ordering a takeaway delivery using gift vouchers bought via a crypto wallet that police had already linked to Scattered Spider.
Both Flowers and Jubair are autistic, which is understood to have been a factor in their sentencing, and had been known to police for some time beyond their involvement in the TfL attack.
Flowers had committed several lower stakes hacks prior to hitting TfL and was visited by officers at home in 2023, to no apparent effect.
Jubair, meanwhile, had previously been subject to an 18-month rehabilitation order that went largely ignored, and has been linked to the Scattered Spider-adjacent Lapsus$ syndicate as an associate of key gang member Arion Kurtaj, who attacked Rockstar Games and Uber, among many others.
New controls
Following today’s sentencing, the authorities acknowledged that previous attempts to rein in Flowers and Jubair had proven largely toothless, and suggested that the government’s proposed Cyber Crime Risk Order (CCRO) – trailed in May during the King’s Speech – could have been a valuable tool that may even have diverted them from outright criminality.
CCROs are intended to equip law enforcement with a flexible set of restrictions that courts can set based on the risk level an individual poses, such as limiting devices, access to online services or other technology that may be useful to a cyber criminal.
City of London Police commander Ollie Shaw described the core concept of a CCRO as something like a “digital prison”, adding: “The aim is not just to punish offenders, but also to help them rebuild their lives and use technology safely and legally – as the vast majority of people already do. The measures would be overseen by the courts and reviewed regularly to make sure they remain fair and proportionate.
“As more crime is enabled by digital technology, it’s really important that policing has modern powers to prevent offenders from causing further harm.”
Read more about Scattered Spider
- The 2024 Scattered Spider attack on Transport for London affected approximately 10 million people, many of whom remain blissfully unaware their data was compromised.
- Another arrest of a teenage hacker associated with the Scattered Spider gang has been made, this time in relation to two 2023 cyber attacks on Las Vegas casinos and resorts.
- ReliaQuest researchers present new evidence that firms up a potential link, or outright partnership, between the ShinyHunters and Scattered Spider cyber gangs.
