Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London.

The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority’s employees into an office to get their passwords reset in person. Both the NCA and the CPS put TfL’s losses and recovery costs at £29 million.

Both pleaded guilty on 22 June 2026, the day their trial was due to start. The charge was Section 3ZA of the Computer Misuse Act 1990, the Act’s most serious, and they admitted it on the basis that they were reckless as to whether they caused or created a significant risk of serious damage to human welfare.

The CPS says Flowers and Jubair are believed to be the first hackers successfully prosecuted under Section 3ZA. The NCA counts the case as only the second prosecution of its kind. The two readings can sit together, one counting prosecutions brought under the section and the other counting those that ended in conviction, but neither agency explains the gap.

The NCA calls it the biggest cybercrime prosecution the UK courts have seen.

The intrusion ran from 31 August to 3 September 2024. TfL oversees an average of 9 million journeys a day. Dial-a-Ride, the booking service that gets vulnerable Londoners around the city, went down, along with the digital payments channel and the issuing of concessionary travel cards.

Applications closed for Oyster photocards, the discounted fare cards for London’s children and young people. The extension of contactless ticketing slipped, and refunds crawled.

TfL told customers that names and email addresses had been accessed, along with home addresses where it held them. Oyster refund data may have gone too, including bank account numbers and sort codes for around 5,000 people.

Only the two of them knew what they meant to do with the access, the CPS says, though their chats suggested they would wipe the access on the way out. That is where the case’s biggest number comes from: the NCA says a successful shutdown of the network could have cost the UK economy up to £56 billion, and the CPS puts the same hypothetical at billions. It stayed hypothetical, the CPS says, because TfL pulled its own network down to contain them.

Flowers was arrested at home on 6 September 2024, three days after the TfL intrusion ended, and the NCA says officers found him mid-attack on two US healthcare organisations, SSM Health Care Corporation and Sutter Health.

Investigators seized laptops, tower computers, hard drives, and USB sticks. One laptop held a screenshot of network connectivity to TfL infrastructure, plus videos Flowers had recorded of Jubair moving through TfL systems during the attack. The pair were messaging on Telegram while it happened and sharing an online workspace.

Prosecutors proved Flowers had been connected to the remote server used to launch all three intrusions, and his own devices linked him to all three. The information linking Jubair to TfL was uncovered overseas, obtained with help from prosecutors there.

Flowers admitted two further counts over the healthcare attacks, a conspiracy against SSM Health, and an attempt against Sutter Health. The CPS says he threatened to lock those systems down while acknowledging in chats that it “might kill some 90-year-old on life support.” The arrest is what stopped him.

The NCA describes both men as leading members of Scattered Spider, the extortion crew also tracked as Octo Tempest, UNC3944, and 0ktapus. The CPS is more careful, saying the defendants claimed at various points to be members of a group that prosecutors believe carried out hundreds of attacks between 2022 and 2025.

The FBI, quoted in the NCA’s announcement, ties the group to data extortion, SIM swapping, and social engineering.

Jubair’s other case is still open

A complaint unsealed in New Jersey in September 2025 accuses Jubair of computer fraud, wire fraud, and money laundering conspiracies. The complaint puts the scheme at roughly 120 network intrusions and at least 47 US victims between May 2022 and September 2025, with more than $115 million paid in ransoms.

Prosecutors also place him in intrusions at a US critical infrastructure company and the US Courts, and allege he moved about $8.4 million in cryptocurrency out of a server wallet while agents were seizing it. Those are allegations, untested in court. The maximum across all counts is 95 years. Neither the DOJ’s announcement nor Thursday’s UK releases address extradition.

Is Scattered Spider finished?

The NCA says its action against the two men effectively halted the group, and cites Microsoft’s assessment that the arrests materially degraded the group’s ability to operate. In the same breath, it grants that other criminals may keep using the brand.

Scattered Spider is not the only brand with life left in it. In January, Mandiant tracked an expansion of ShinyHunters-branded extortion running the same kind of social engineering: vishing calls to employees, victim-branded credential harvesting pages to capture SSO logins and MFA codes, then the attacker’s own device enrolled for MFA.

Neither the NCA’s nor the CPS’s written releases set out how Flowers and Jubair first got into TfL. Google’s hardening guidance from the same research puts the fix in one place: verify identity on password resets, device enrollment, and MFA changes, the manual workflows these crews call in and talk their way through.

Paul Foster, who heads the NCA’s National Cyber Crime Unit, wants one thing from everyone else: call law enforcement early. He says these convictions probably would not have happened if TfL had not.

City of London Police used the sentencing to lobby for a power it does not have. Cyber Crime Risk Orders would let a court restrict an individual’s devices, online services and technologies in proportion to the risk they pose.

Commander Ollie Shaw pitched them as a “digital prison” for offenders. So the toolkit is what it was: a prison term, this time handed to two people who were 17 and 18 when they did it.

Leave a Reply