Two hackers, Owen Flowers and Thalha Jubair, sentenced for the TfL cyberattack, with a blurred image of the London Underground in the background.
Uncategorized

Scattered Spider Duo Jailed for Landmark £29M TfL Cyberattack

Share
Share

Cybercrime’s Reckoning: Two Hackers Sentenced for Massive TfL Breach

In a landmark case for UK cybercrime prosecution, Owen Flowers, 18, and Thalha Jubair, 20, have each been sentenced to five and a half years in prison. The duo received their sentences at Woolwich Crown Court on Thursday, 16 July 2026, following their involvement in the devastating 2024 cyberattack on Transport for London (TfL). This audacious breach crippled 148 TfL systems and forced all 27,000 employees to undergo in-person password resets, incurring a staggering £29 million in losses and recovery costs.

The Anatomy of a £29 Million Attack

The intrusion, which ran from 31 August to 3 September 2024, brought significant disruption to London’s vital transport network, which typically handles 9 million journeys daily. Critical services, including Dial-a-Ride (a booking service for vulnerable Londoners), digital payment channels, and the issuance of concessionary travel cards, were rendered inoperable. Applications for Oyster photocards, essential for discounted fares for children and young people, were halted, and the rollout of contactless ticketing extensions suffered delays, alongside a backlog in customer refunds.

The breach also compromised sensitive customer data. TfL confirmed that names, email addresses, and in some cases, home addresses were accessed. Alarmingly, Oyster refund data, including bank account numbers and sort codes for approximately 5,000 individuals, may also have been exposed. While the hackers’ ultimate intent with this access remains unclear, chat logs suggested a plan to wipe their tracks upon exit.

Unprecedented Prosecution Under Section 3ZA

Flowers and Jubair pleaded guilty on 22 June 2026, the very day their trial was set to begin. They faced charges under Section 3ZA of the Computer Misuse Act 1990, the Act’s most severe provision. Their admission was based on the understanding that they were reckless regarding the creation of a significant risk of serious damage to human welfare. The Crown Prosecution Service (CPS) believes this marks the first successful prosecution of hackers under Section 3ZA, with the National Crime Agency (NCA) noting it as only the second prosecution of its kind overall, underscoring the gravity and rarity of such convictions.

The potential economic fallout of a full network shutdown was immense, with the NCA estimating a hypothetical cost to the UK economy of up to £56 billion, and the CPS placing it in the billions. This catastrophic scenario was averted, according to the CPS, because TfL proactively shut down its own network to contain the threat.

Unmasking the Scattered Spider Operatives

The investigation quickly led to Flowers’ arrest at his home on 6 September 2024, just three days after the TfL intrusion concluded. Officers found him actively engaged in attacks against two US healthcare organisations, SSM Health Care Corporation and Sutter Health. Seized devices, including laptops and hard drives, contained crucial evidence: a screenshot of network connectivity to TfL infrastructure and videos of Jubair navigating TfL systems during the attack. The pair had coordinated their activities via Telegram and a shared online workspace.

Prosecutors established Flowers’ connection to the remote server used for all three intrusions, with his devices directly linking him to the crimes. Evidence connecting Jubair to the TfL hack was secured through international cooperation with overseas prosecutors. Flowers further admitted to two additional counts related to the healthcare attacks, including a conspiracy against SSM Health and an attempted attack on Sutter Health. Disturbingly, chat logs revealed his threat to lock down these systems, acknowledging it “might kill some 90-year-old on life support” – a threat his arrest fortunately prevented from materialising.

A Wider Web of Crime: The Scattered Spider Network

Both men are described by the NCA as leading members of ‘Scattered Spider’, a notorious extortion crew also known as Octo Tempest, UNC3944, and 0ktapus. While the CPS adopted a more cautious stance, acknowledging the defendants’ claims of group membership, prosecutors believe this collective was responsible for hundreds of attacks between 2022 and 2025, involving data extortion, SIM swapping, and social engineering, as highlighted by the FBI.

Jubair’s legal troubles extend beyond the UK. A complaint unsealed in New Jersey in September 2025 accuses him of computer fraud, wire fraud, and money laundering conspiracies. This US case alleges involvement in approximately 120 network intrusions and at least 47 US victims between May 2022 and September 2025, with ransoms exceeding $115 million. He is also implicated in intrusions targeting a US critical infrastructure company and the US Courts, and is alleged to have moved $8.4 million in cryptocurrency from a server wallet during an active seizure by agents. These allegations, if proven, carry a maximum sentence of 95 years, though neither UK nor US authorities have addressed extradition.

The Future of Scattered Spider

The NCA asserts that the arrests of Flowers and Jubair have “effectively halted” Scattered Spider, citing Microsoft’s assessment that their actions materially degraded the group’s operational capabilities. However, the agency also concedes that other criminals may continue to operate under the ‘Scattered Spider’ brand. The cybercrime landscape is ever-evolving; in January, Mandiant observed an expansion of ‘ShinyHunters’-branded extortion, employing similar tactics, indicating that the threat of sophisticated digital attacks remains persistent.


For more details, visit our website.

Source: Link

Share

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *