News

Two 'Scattered Spider' Hackers Sentenced for £29 Million TfL Cyberattack

Two hackers, Owen Flowers and Thalha Jubair, have been sentenced to five and a half years for a 2024 cyberattack on Transport for London (TfL).

The hackers, part of the 'Scattered Spider' group, were convicted under the UK's Computer Misuse Act for a 2024 attack that disrupted TfL services and cost £29 million. The case marks one of the UK's largest cybercrime prosecutions.

Two 'Scattered Spider' Hackers Sentenced for £29 Million TfL Cyberattack

Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for their roles in the 2024 hack of Transport for London (TfL). The attack, which took place from 31 August to 3 September 2024, left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees to reset their passwords in person. The National Crime Agency (NCA) and Crown Prosecution Service (CPS) estimated TfL's losses and recovery costs at £29 million.

The Attack and Its Impact

The intrusion severely disrupted TfL services, affecting millions of daily commuters. Key systems impacted included:

  • Dial-a-Ride: The booking service for vulnerable Londoners was taken offline.
  • Digital Payments: The payments channel was disrupted.
  • Concessionary Travel Cards: Issuance of discounted fare cards was halted.
  • Oyster Photocards: Applications for discounted fare cards for children and young people were suspended.
  • Refunds: Processing of refunds was significantly delayed.

TfL also confirmed that personal data, including names, email addresses, and home addresses, was accessed. Additionally, Oyster refund data, including bank account numbers and sort codes for around 5,000 people, may have been compromised.

The Prosecution

Both Flowers and Jubair pleaded guilty on 22 June 2026, the day their trial was due to start. They were charged under Section 3ZA of the Computer Misuse Act 1990, the most serious offense under the Act. The CPS described the case as the first successful prosecution under this section, while the NCA called it the biggest cybercrime prosecution in UK history.

The investigation revealed that Flowers was arrested at home on 6 September 2024, just days after the TfL attack. Officers found him mid-attack on two US healthcare organizations, SSM Health Care Corporation and Sutter Health. Prosecutors proved Flowers' involvement in these attacks, and he admitted to threatening to lock down the healthcare systems, acknowledging the potential for severe consequences.

Scattered Spider and Ongoing Investigations

The NCA described Flowers and Jubair as leading members of the 'Scattered Spider' hacking group, also known as Octo Tempest and UNC3944. The group is linked to hundreds of attacks between 2022 and 2025, including data extortion, SIM swapping, and social engineering.

Jubair is also facing separate charges in the United States, where he is accused of computer fraud, wire fraud, and money laundering conspiracies. The complaint, unsealed in New Jersey in September 2025, alleges his involvement in over 120 network intrusions and at least 47 US victims, with ransoms totaling over $115 million.

The Future of Scattered Spider

The NCA claims its actions against Flowers and Jubair have effectively halted the Scattered Spider group, citing Microsoft's assessment that the arrests materially degraded the group's operations. However, the NCA acknowledges that other criminals may continue using the Scattered Spider brand.

Paul Foster, head of the NCA's National Cyber Crime Unit, emphasized the importance of early engagement with law enforcement in cybercrime cases. Commander Ollie Shaw of the City of London Police advocated for the introduction of Cyber Crime Risk Orders, which would allow courts to restrict an individual's access to devices and online services based on the risk they pose.

The sentencing of Flowers and Jubair marks a significant milestone in the UK's efforts to combat cybercrime, highlighting the severity of such attacks and the need for robust legal and investigative frameworks.