Two young members of the Scattered Spider cybercrime group have been jailed for a 2024 attack that knocked out 148 Transport for London (TfL) systems, forced all 27,000 staff to reset passwords in person, and cost the organization about £29 million.
On June 22, 2026, Thalha Jubair and Owen Flowers pleaded guilty to a cyberattack on Transport for London (TfL) that caused significant service disruptions.
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, were each sentenced to five years and six months at Woolwich Crown Court on 16 July. Both had pleaded guilty under Section 3ZA of the Computer Misuse Act, the most serious CMA offense, covering unauthorized acts that cause or risk serious damage.
Between 31 August and 3 September 2024, the pair infiltrated TfL’s network. Swift containment limited the worst outcomes, but public-facing services still suffered. Dial-a-Ride for vulnerable Londoners, concessionary travel cards, digital payments, Oyster refunds, and the Oyster photocard application for children were disrupted. Contactless ticketing expansion was delayed.
Two Scattered Spider Hackers Jailed
All 27,000 TfL employees had to visit an office for password resets. Critical systems needed manual workarounds. Data from the Oyster refunds system was accessed, leaving some customers waiting longer for money. TfL reported the incident to City of London Police’s Report Fraud service.
Investigators warned that a full transport network shutdown could have cost the UK economy up to £56 billion.
Jubair and Flowers were leading members of Scattered Spider, a group known for social engineering, SIM-swapping, and data extortion. The National Crime Agency (NCA) and City of London Police identified them after the TfL breach. They were arrested at home on 16 September 2024.
Devices seized from Flowers including laptops, towers, hard drives, and USB sticks contained a screenshot of connectivity to TfL infrastructure and videos of Jubair accessing TfL systems during the attack.
The pair messaged on Telegram and used a shared remote workspace. Flowers was also found hacking US healthcare firms SSM Health and Sutter Health. He was later re-arrested for bail breaches over device use; Jubair was charged for failing to provide device PINs/passwords.
Microsoft assessed that the arrests materially degraded Scattered Spider’s ability to operate, even if others may still misuse the brand.
NCA Deputy Director Paul Foster called it the largest cybercrime prosecution ever brought before UK courts and urged organizations to engage law enforcement early. City of London Police Commander Ollie Shaw highlighted proposed Cyber Crime Risk Orders as tools for device and technology restrictions, a form of “digital prison” for high-risk offenders.
Security Minister Dame Angela Eagle and TfL Commissioner Andy Lord praised the investigation and stressed the need for stronger cyber resilience. The FBI Cyber Division noted Scattered Spider’s repeated use of extortion and social engineering against critical services.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

