UK court gives two Scattered Spider members 5.5 years for TfL attack
Owen Flowers and Thalha Jubair were sentenced after pleading guilty over a 2024 breach that cost Transport for London £29 million to remediate.
By Renata Fuchs · Policy Reporter
· 4 min read
Two British members of Scattered Spider were each sentenced to five years and six months in prison for the 2024 cyberattack on Transport for London, a case the National Crime Agency called the largest cybercrime prosecution brought before UK courts. Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty in June and received a 15% reduction in their sentences.
At Woolwich Crown Court, Mr Justice Turner cited the defendants’ immaturity and neurodiversity, while also pointing to the planning behind the attack, its impact on TfL and the sophistication of the offending. The judge said both knew their conduct was criminal, and noted that Jubair’s additional one year and four months of age over Flowers could mark a meaningful difference in maturity.
The convictions are notable because they are only the second use of Section 3ZA of the Computer Misuse Act 1990, a provision reserved for serious computer misuse that causes, or risks causing, serious damage. Flowers and Jubair pleaded guilty on the basis that they were reckless as to the damage caused. The only earlier Section 3ZA conviction involved a former GCHQ intern who received a six-year sentence after a national security investigation, though the NCA said there were no parallels with the TfL case.
How the TfL breach worked
Authorities described Flowers and Jubair as members of Scattered Spider, a loose English-speaking cybercrime network associated with phishing, vishing and social engineering. The NCA has called Scattered Spider the UK’s most significant cybercrime threat in recent years. The group has been linked by authorities to major attacks including MGM Resorts in 2023 and British retailers in 2025, though the NCA has declined to say whether Flowers or Jubair were connected to those incidents.
In the TfL case, prosecutors said the pair bought partial TfL credentials on criminal forums, used them to reset two-factor authentication on employee accounts and impersonated an employee to persuade a helpdesk worker to reset a password. They accessed TfL’s network on Aug. 31, 2024, and retained access until Sept. 3.
During that period, the attackers sought higher privileges and access to internal systems. TfL initially believed data on about 5,000 people had been exposed, but it emerged this year that data relating to about 7 million users had been accessed.
Transport services continued to run, but TfL’s digital operations were disrupted. Account logins, customer portals and third-party apps that rely on TfL data were affected. TfL could not issue photo travel cards until Dec. 4, 2024, some ticket machines malfunctioned, and contactless card users could not view journey histories online. TfL also summoned about 28,000 employees to offices to reset passwords because of uncertainty over whether the attackers still had network access. Remediation costs reached £29 million, about $39 million.
Evidence and repeat offending
The NCA said evidence from devices seized at Flowers’ home in Walsall was central to the case. Investigators found that an Acer laptop had accessed remote infrastructure and virtual machines used in the attack, and contained videos and screenshots showing the breach in progress. Woolwich Crown Court heard that the pair livestreamed the 16-hour attack.
Investigators tied payments for the remote infrastructure to a cryptocurrency account found on Flowers’ computer, which was also used for food deliveries to his home. The same computer held spreadsheets with partial TfL employee credentials and evidence linking Flowers to attacks on US healthcare organizations SSM Health Care Corporation and Sutter Health, according to officials.
The NCA said chat logs and other records linked an alias used in the activity to Jubair through flight bookings, hotel bookings and food deliveries. Investigators also found evidence of a cloud storage account containing TfL data that both men could access. Devices seized from Jubair showed he had been interested in TfL systems as early as 2022, officials said.
Both defendants were already known to police. Flowers had been visited by police in 2023 and given a cease-and-desist order after lower-level computer offences, but officials said he did not engage with training or advice. Jubair had a 2023 conviction tied to Lapsus$, the group linked to hacks of BT/EE and Nvidia, and has 22 previous convictions in the UK, including fraud and blackmail. US charges unsealed in September 2025 accuse Jubair of compromising 120 networks belonging to 47 US entities between May 2022 and September 2025, resulting in more than $115 million in ransom payments.
NCA National Cyber Crime Unit head Paul Foster said the case showed why proposed Cyber Crime Risk Orders are needed, arguing they could give law enforcement a preventive tool to restrict suspects while investigations continue. TfL commissioner Andy Lord said the transport authority welcomed the sentencing and continues to monitor and protect its systems and customer data.
This story draws on original reporting from The Register.