Brit Scattered Spider duo handed tickets to prison over Transport for London attack

Jul 16, 2026 - 16:04
0 0
Brit Scattered Spider duo handed tickets to prison over Transport for London attack

The two British Scattered Spider members collared for carrying out the 2024 cyberattack on Transport for London (TfL) will each spend five and a half years in prison after being sentenced on Thursday.

Owen Flowers, 18, and Thalha Jubair, 20, were sentenced to five years and six months' imprisonment each, having pleaded guilty in June, in turn receiving a 15 percent reduction in their sentences.

Sentencing the pair at Woolwich Crown Court, Mr Justice Turner noted both cybercriminals' immaturity, but acknowledged the sophistication of the offending, the scale of the impact on TfL, the significant planning behind the attack, and that both knew the criminality of their actions.

Mr Justice Turner further noted the age gap between the pair, and that the one year and four months Jubair has on Flowers "marks a potentially significant distinction in maturity."

The judge also acknowledged both defendants' neurodiversity in passing the sentence, which he said was the most lenient, while still reflecting the seriousness of their offenses.

Flowers and Jubair were described by authorities as members of Scattered Spider, the loosely connected group of English-speaking individual cybercriminals thought to be mostly young men aged 16-25.

Scattered Spider has been one of the most prominent cybercrime groups of the past few years, claiming responsibility for major attacks such as those on MGM Resorts in 2023 and the attacks on British retail giants in 2025.

The National Crime Agency (NCA) said the group presented the most significant cyber threat to the UK, and today's sentencing closes the book on the biggest prosecution of cyber offenders in UK history.

NCA officials have continually refused to comment on whether Flowers or Jubair were linked in any way to other major attacks claimed by Scattered Spider.

The sentencing marks only the second conviction under Section 3ZA of the Computer Misuse Act 1990 (CMA) – reserved for the most serious offenses.

Section 3ZA covers unauthorized acts involving computers that cause, or create a significant risk of, serious damage, where the offender intends to cause that damage or is reckless as to whether it occurs.

Flowers and Jubair pleaded guilty on the basis that their actions were reckless.

The only previous 3ZA conviction came last year and involved a former GCHQ intern who was jailed for six years following a national security investigation. The NCA said there were no parallels between this case and the TfL attack.

Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said: "This is the largest cybercrime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, CPS, and our policing partners.

"Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice.

"The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK's critical infrastructure. These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances.

"We will continue working with partners in the UK and overseas to identify offenders and bring them to justice."

Andy Lord, London's Transport Commissioner, said: "We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now been sentenced. 

"The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL."

How TfL attack unfolded

Scattered Spider members are known for their phishing, voice phishing ("vishing"), and social engineering tactics to gain footholds in target networks, and TfL was no different.

Flowers and Jubair purchased partial TfL credentials from "well-known criminal forums" and used those to reset the 2FA on employee accounts, a process that took multiple attempts.

Woolwich Crown Court heard that the pair impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account.

The pair gained access to TfL's network on August 31, 2024, and held on to that access until September 3. During this time, they worked to elevate their privileges and gain access to key internal systems, including databases containing information on what was originally thought to be only around 5,000 people.

It wasn't until earlier this year that it became known that Scattered Spider actually gained access to around 7 million users' data.

The attack had minimal disruption to the transport network in real terms, although the availability of several services suffered, such as account logins, customer portals, and third-party apps reliant on TfL data.

TfL was not able to issue photo travel cards to Londoners until December 4, 2024. A limited number of ticket machines also malfunctioned as a result of the attack, and travelers paying by contactless card were unable to view their journey histories online.

All of the organization's employees, around 28,000 of them, a considerable proportion of whom were allowed to work remotely, were summoned to TfL's offices to reset their passwords because of uncertainties around whether the attackers were still in the network.

Although train and bus services were not affected, the costs associated with remediating the attack climbed to £29 million ($39 million).

Several complexities

The NCA said the investigation that led to today's sentencing was perhaps even more complicated than Operation Chronos, which crippled the once-dominant LockBit ransomware group.

Bringing Flowers and Jubair to justice involved delicate management, owing to their ages, backgrounds, and neurodiversity.

Owen Flowers. Image courtesy of the National Crime Agency

Owen Flowers Image courtesy of the National Crime Agency

Flowers, for example, was known to UK law enforcement prior to the TfL attack, and investigating officers suspected his involvement from the outset, although he could not be named until September last year due to his age.

The teenager was initially arrested on suspicion of his involvement in the TfL attack on September 6, 2024, at his three-bedroom home in Walsall, where he lived with his maternal grandmother and uncle.

Officials say Flowers spent most of his time at home in his bedroom playing computer games and using chat forums, and was primarily motivated by gaining notoriety among cybercrime circles.

He was charged and later released on bail conditions, which he breached twice in October 2024 and again in May 2025 after being handed a warning two months earlier.

Before TfL, Flowers had committed lower-level computer offenses. He was visited by police in October 2023 and handed a cease-and-desist order, which officers hoped would deter the then-16-year-old from reoffending. 

Flowers was also offered training and given advice around CMA offences but officials say he did not want to engage in any of this.

Between then and the TfL attack a year later, Flowers continued to commit offenses of increasing severity.

The NCA's Foster said the proposed Cyber Crime Risk Orders, announced in the most recent King's Speech, could have enabled officers to arrest Flowers sooner and impose restrictions that could have better prevented possible reoffending.

Existing powers, such as serious crime prevention orders, cannot be applied to offenders under the age of 18, and some CMA offenses do not meet the criteria for serious crime, leaving a gap in the police's ability to manage the risk of reoffending.

"The proposed cybercrime risk orders would provide law enforcement with a proportionate preventative tool, similar in principle to sexual risk orders to impose conditions that help to protect the public and businesses whilst an investigation continues," said Foster.

"Those conditions would be actively monitored, and any breach could result in criminal sanctions, including imprisonment, and that's regardless of whether the underlying investigation has concluded.

"And I'd suggest that a Cyber Crime Risk Order, should one have been available to us, would have allowed us to arrest Flowers sooner, potentially acting on information provided by US or Australian partners."

Both Flowers and Jubair have autism, and Jubair is also diagnosed as having depression and severe mood disorder.

Like Flowers, Jubair was also previously known to UK police, principally due to his prior conviction in 2023 related to his involvement in the Lapsus$ crew that hacked the likes of BT/EE and Nvidia.

During the proceedings, Jubair sat in court alongside fellow Lapsus$ member Arion Kurtaj, who BBC's Joe Tidy recently revealed is now awaiting trial after his indefinite hospital order ended.

Under the age of 18 at the time, and therefore unable to be named publicly, Jubair received an 18-month youth rehabilitation order, which included a ban on using a VPN, but quickly began reoffending. 

Officials pointed to Jubair's reoffending as another example of why Cyber Crime Risk Orders are needed, since the existing legal mechanisms that limit the freedoms of criminals such as burglars and sexual predators are not effective for cyber offenders.

Thalha Jubair. Image courtesy of the National Crime Agency

Thalha Jubair Image courtesy of the National Crime Agency

Jubair lived in a two-bedroom apartment on the third floor of a 21-storey council block in Bow, London, with his two Bangladeshi parents, who both work as carers.

He also faces charges further afield in the US, which were unsealed in September 2025.

Acting through his Scattered Spider role, between May 2022 and September 2025, Jubair is accused of compromising 120 networks belonging to 47 US entities, including critical national infrastructure and the federal court system, which resulted in more than $115 million in ransom payments being transmitted.

In the UK, Jubair has 22 previous convictions in total, including 13 for fraud and one for blackmail. He was also previously sentenced for stalking and harassing two young women online. 

His offending began when he was 14 years old, and officials said he had an interest in computers from an early age.

Jubair, who was first arrested in February 2021, learned to code by age 13.

He attended school in the Bow region of London, had a number of GCSE qualifications, and had attempted to enroll in local colleges.

Arrests and evidence gathering

Flowers' arrest was by far the more significant of the two in terms of collecting evidence linking the pair to the TfL attack. 

NCA officers arresting Flowers also seized a number of devices, including laptops, tower computers, and USB storage devices. The analysis of one Acer laptop, owned by Flowers, proved to be the pair’s undoing.

Forensic analysis revealed that Flowers had accessed the remote infrastructure and virtual machines that were used to carry out the TfL attack.

Damningly, officers also found videos and screenshots, produced by Flowers, depicting the TfL attack in progress. Woolwich Crown Court heard that the pair livestreamed the 16-hour attack online.

They were able to tie the payment used for the remote infrastructure to a cryptocurrency account found on Flowers' computer and prove that the laptop was connected to this infrastructure at the time of the attack.

Further, Flowers used the same cryptocurrency account to pay for food deliveries he ordered to his home address.

The teen's computer stored spreadsheets containing partial credentials for TfL employees and contained evidence linking him to cyberattacks on US healthcare organizations SSM Health Care Corporation and Sutter Health.

The same computer also contained artifacts linking the activity to Jubair. 

Officials said they had access to certain chat logs within which a specific moniker appeared frequently.

They tied this alias to Jubair because it was the same one used to discuss specific flight bookings, hotel bookings, and food deliveries, all of which could clearly be linked to the 20-year-old. And Officers found evidence of a cloud storage account containing TfL data, to which Flowers and Jubair had access.

Devices seized from Jubair revealed comparatively little, other than that he had shown an interest in TfL's systems as far back as 2022. ®

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0

Comments (0)

User