Two alleged members of the cybercrime collective Scattered Spider have pleaded guilty to their roles in the Transport for London cyberattack, an incident that disrupted services, exposed customer data, and resulted in approximately £29 million in losses and recovery costs for London’s transport authority.
The guilty pleas were entered by Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, on the opening day of proceedings at Woolwich Crown Court. The pair had been due to stand trial on June 22 but changed their pleas to guilty.
Transport for London Cyberattack Led to Major Disruption
According to the National Crime Agency (NCA) and City of London Police, TfL’s network was infiltrated between August 31 and September 3, 2024. The breach forced all 28,000 employees to attend TfL offices for password resets and caused significant operational disruption across the organization.
The TfL cyberattack also resulted in unauthorized access to data held within TfL’s Oyster refunds system. The incident affected the authority’s customer refund process, delaying reimbursements for some customers. In addition, the application system for Oyster photocards used by children and young people was temporarily shut down.
Authorities said the attack caused substantial financial damage, with TfL reporting losses and recovery costs totaling approximately £29 million.
Investigation Linked Attackers to Scattered Spider
Jubair and Flowers were arrested at their homes on September 16, 2024, following a joint investigation conducted by the NCA and City of London Police.
Investigators identified both individuals as members of Scattered Spider, a cybercriminal collective that has been linked to a number of high-profile intrusions.
During searches of Flowers’ residence, officers recovered laptops, desktop computers, hard drives, and USB storage devices. Evidence recovered from one Acer laptop included a screenshot showing connectivity to TfL infrastructure.
Authorities also found evidence indicating Flowers had accessed an online marketplace that sold breached credentials. Investigators further discovered videos recorded by Flowers that allegedly showed Jubair accessing TfL systems during the attack.
The investigation revealed that the two communicated through Telegram and collaborated using an online workspace platform that allowed multiple participants to work remotely on shared systems.
Additional Allegations Involving US Healthcare Networks
The investigation extended beyond the Transport for London cyberattack. When Flowers was first arrested on September 6, 2024, NCA officers identified evidence suggesting unauthorized activity targeting the networks of SSM Health Care Corporation and Sutter Health in the United States.
Court records show Flowers pleaded guilty to charges related to a conspiracy to conduct unauthorized acts against SSM Health Care Corporation’s computer systems with intent to impair operations. He also admitted attempting unauthorized acts against Sutter Health’s systems with the same intent.
Jubair additionally faced a charge for failing to disclose PINs or passwords associated with devices seized during the investigation.
Authorities noted that Flowers breached bail conditions on two occasions in March and May 2025.
Law Enforcement Highlights Impact of Cybercrime
Paul Foster, Deputy Director and head of the NCA’s National Cyber Crime Unit, described the case as a lengthy and highly complex investigation. He said the attack demonstrated that cybercrime has significant real-world consequences, affecting public services and causing millions of pounds in losses to critical national infrastructure.
Foster also highlighted the growing threat posed by cybercriminal groups operating from the UK and other English-speaking countries, citing Scattered Spider as a notable example.
Deputy Commissioner Nik Adams of the City of London Police said the cyberattack had a significant impact on essential public services and daily operations. He emphasized that individuals responsible for targeting critical organizations and causing financial harm would be pursued through coordinated law enforcement efforts.
The investigation received support from the West Midlands Regional Organised Crime Unit and British Transport Police.
Jubair and Flowers are scheduled to be sentenced at Woolwich Crown Court on July 16.
