
Two leading members of the Scattered Spider cybercrime collective have been sentenced to more than five years in prison for carrying out the 2024 cyberattack against Transport for London (TfL), concluding what British authorities described as the largest cybercrime prosecution ever brought before a U.K. court.
Thalha Jubair, 20, of East London, and Owen Flowers, 18, from Walsall in England’s West Midlands, were each sentenced to five years and six months‘ imprisonment at Woolwich Crown Court on Thursday after pleading guilty last month to offenses under Section 3ZA of the Computer Misuse Act.
The pair admitted on the first day of trial in June to infiltrating TfL’s network in an attack that disrupted public services, exposed customer data and ultimately cost the transport authority £29 million ($39 million) in recovery expenses.
Authorities said the prosecution was only the second ever brought under the U.K.’s most serious Computer Misuse Act offense, which covers unauthorized computer activity that causes, or risks causing, serious damage to critical infrastructure or public welfare and carries a maximum sentence of life imprisonment.
Although TfL managed to prevent the attack from shutting down London’s transport network, investigators said the intrusion caused widespread operational disruption.
The attack forced all 27,000 TfL employees to attend offices for in-person password resets, while 148 internal systems became unavailable, including critical operational platforms that required extensive manual workarounds.
The breach also compromised data held within TfL’s refund system for Oyster — the card used by passengers for travel — leaving some passengers waiting significantly longer than normal for refunds. Applications for Oyster photocards used by children and young people were temporarily suspended.
The National Crime Agency (NCA) said the financial consequences could have been significantly worse, saying that if the attackers succeeded in disabling London’s transport network, the estimated economic impact could have reached £56 billion ($75.6 billion).
British investigators identified Jubair and Flowers as leading members of Scattered Spider, a loosely organized English-speaking cybercriminal network responsible for numerous high-profile intrusions targeting organizations across the U.K. and United States.
The group has been linked to attacks against airlines, retailers, insurers and technology companies, often relying on social engineering, SIM-swapping and credential theft to gain initial access before deploying ransomware or conducting extortion campaigns.
According to the NCA, arrests carried out in September 2024 significantly disrupted the group’s operations.
“Scattered Spider has been the most significant cybercrime threat to the U.K. in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice,” said Paul Foster, deputy director of the NCA’s National Cyber Crime Unit.
The agency added that independent analysis supported that assessment, with Microsoft concluding the arrests had materially degraded Scattered Spider’s ability to continue conducting cybercriminal operations.
Flowers was first arrested in September 2024, while investigators said he was simultaneously compromising systems belonging to U.S. healthcare providers SSM Health Care Corporation and Sutter Health.
Searches of his home uncovered laptops, desktop computers, external hard drives and USB devices.
One laptop contained a screenshot showing connectivity to TfL’s infrastructure, while investigators also recovered videos allegedly recorded by Flowers showing Jubair actively accessing TfL systems during the intrusion.
Authorities said the pair coordinated the attack through Telegram and an online collaborative workspace.
Flowers was later rearrested after breaching bail conditions relating to restrictions on device usage. Jubair also faced an additional charge after refusing to disclose passwords and PINs for seized electronic devices.
Security officials said the case demonstrated both the growing sophistication of cybercriminal groups and the importance of early reporting by victims.
“The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK’s critical infrastructure,” Foster said, adding that the convictions would likely not have been possible without TfL’s prompt engagement with law enforcement.
Commander Ollie Shaw of the City of London Police used the sentencing to argue for proposed Cyber Crime Risk Orders, which would allow courts to impose technology restrictions on convicted cyber offenders after release.
The proposed measures could limit offenders’ access to devices, online services or technologies frequently used to commit cybercrime, creating what Shaw described as a form of “digital prison” designed to reduce reoffending while allowing rehabilitation.
Security Minister Angela Eagle said the case illustrated the risks cybercriminals pose to Britain’s economy and national infrastructure: “This should send a clear message to anyone planning illegal cyber activity that there will be consequences when you are caught,” she said.
London’s Transport Commissioner Andy Lord welcomed the sentencing, thanking investigators and TfL staff who helped respond to the incident and restore affected systems.
The investigation was led jointly by the National Crime Agency and City of London Police, with support from the West Midlands Regional Organised Crime Unit, British Transport Police and international partners including the FBI.
Jubair and Flowers were also both arrested last July on suspicion of involvement in a series of ransomware attacks targeting British retailers Marks & Spencer, the Co-op and the London-based luxury store Harrods. No suspects have yet been charged with those crimes.
