Two Scattered Spider Teens Plead Guilty in £29M Transport for London Cyberattack
Two British teenagers linked to the Scattered Spider hacking collective have pleaded guilty to orchestrating a 2024 cyberattack on Transport for London that cost £29 million and disrupted services.
Two members of the notorious Scattered Spider hacking collective have pleaded guilty to a devastating cyberattack on Transport for London (TfL) that occurred in late 2024, the UK's National Crime Agency (NCA) confirmed on Tuesday. Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, admitted to hacking London's transport authority between August 31 and September 3, 2024, when both were still teenagers.
The attack inflicted an estimated £29 million ($38 million) in losses and recovery costs on TfL, according to the NCA. The breach crippled the agency's customer refund system for an extended period, took down the online application system for Oyster photocards used by children and young people, and forced all 28,000 TfL employees to physically attend an office to reset their passwords. The disruption highlighted the real-world consequences of cybercrime on critical public infrastructure.
Flowers was arrested on September 6, 2024, just days after the attack. During a search of his home, officers seized an Acer laptop that contained a screenshot showing network connectivity to TfL infrastructure, as well as evidence that he had accessed a website selling breached credentials. The laptop also held a video recorded by Flowers that showed Jubair accessing TfL systems, alongside Telegram messages between the pair coordinating their activities.
Investigators also linked Flowers to breaches of US healthcare companies SSM Health Care Corporation and Sutter Health, expanding the scope of his criminal activities beyond the TfL incident. However, Jubair faces far more extensive charges. According to indictments unsealed in September 2025, he is alleged to have participated in at least 120 computer network intrusions and extortion schemes targeting 47 US entities, with victims paying $115 million or more in ransom payments to Jubair and his associates.
Both defendants pleaded guilty at Woolwich Crown Court on June 22 and are scheduled to be sentenced on July 16. The NCA described the investigation as "lengthy, highly complex and painstaking," led by deputy director Paul Foster, head of the agency's National Cyber Crime Unit. "The perseverance and meticulousness of our officers, and the work of our partner organisations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending," Foster said.
The Scattered Spider collective, a loose network of English-speaking hackers, has been linked to a string of high-profile extortion incidents, including attacks on MGM Resorts International, Snowflake, and most recently Marks & Spencer and the Co-op Group. Foster warned of the "increasing threat" from homegrown cybercriminals like those in the group, noting that "cybercrime may appear faceless and distant compared to other crime types, but the infiltration of TfL's systems shows it has real-world consequences and impacts hugely on the public."
The case underscores the growing sophistication and audacity of young cybercriminals operating within organized hacking collectives. The TfL attack, which targeted a critical piece of urban infrastructure serving millions of daily commuters, demonstrates that even public transportation systems are not immune to financially motivated cyberattacks. With sentencing set for next month, the convictions mark a significant victory for UK law enforcement in its ongoing battle against cybercrime.
The guilty pleas from Thalha Jubair and Owen Flowers, entered at Woolwich Crown Court at the start of their trial, include new details about the attack's execution: investigators found a screenshot on Flowers' Acer laptop showing active connectivity to TfL infrastructure, and recorded videos of Jubair navigating TfL systems during the breach. The pair coordinated via Telegram and other collaborative tools, and Flowers was linked to intrusions against US healthcare organizations SSM Health Care Corporation and Sutter Health, broadening the known targeting footprint of the Scattered Spider group. Flowers had also violated bail conditions twice in 2025, raising concerns about continued risk behavior during the investigation period.
The Help Net Security report adds that the National Crime Agency (NCA) revealed the attack between August 31 and September 3, 2024, accessed TfL's Oyster refunds system and forced all 28,000 employees to attend an office in person to reset passwords. Investigators also uncovered evidence linking Flowers to intrusions targeting U.S. healthcare providers SSM Health and Sutter Health, and found videos on his laptop showing Jubair accessing TfL systems during the attack. Flowers later breached his bail conditions twice in 2025.
The U.K. National Crime Agency revealed that the attack forced all 28,000 TfL employees to reset their passwords in person and cost approximately £29 million ($38 million) in losses and recovery costs. Investigators found evidence on the defendants' devices showing connections to TfL infrastructure, access to an online marketplace for stolen credentials, and videos of the intrusion in progress. The NCA also noted that evidence uncovered during the investigation indicated the networks of U.S. healthcare providers SSM Health Care Corporation and Sutter Health had been infiltrated and damaged, though further details were not provided. The defendants face charges under Britain's most serious cybercrime legislation, with a maximum sentence of life imprisonment.