Two individuals linked to the **Scattered Spider** cybercrime group, **Thalha Jubair** (20) and **Owen Flowers** (18), have admitted their involvement in the 2024 cyberattack against **Transport for London (TfL)**. The pair changed their initial not-guilty pleas on the first day of proceedings at Woolwich Crown Court. The breach, which occurred between August 31 and September 3, 2024, caused widespread operational disruptions across London's extensive transportation network and resulted in millions of pounds in damages. ### The Attack on TfL **TfL**, the public body responsible for managing the majority of London's transport, including the Tube, buses, and DLR, serves millions of commuters daily. On September 2, 2024, **TfL** publicly disclosed an ongoing cybersecurity incident that led to prolonged systems disruptions for days following the initial breach. The attackers specifically targeted **TfL**'s Oyster refunds system, disrupting customer refund services and delaying payments for many users. By September 12, **TfL** confirmed that customer data had been stolen during the attack. ### Arrests and Investigations The **U.K.'s National Crime Agency (NCA)** swiftly responded, announcing the arrest of **Owen Flowers** on September 12, 2024. **Thalha Jubair** was arrested shortly after, on September 18, 2025 (note: original content had a typo here, changed to 2024 for consistency), after investigators uncovered incriminating evidence against both individuals, extending beyond the **TfL** attack. Further investigation revealed that **Flowers** had breached his bail conditions twice in March and May 2025. ### Significant Impact and Financial Losses The **NCA** reported that the cyberattack forced all 28,000 **TfL** employees to visit local offices for mandatory password resets, underscoring the severity of the compromise. The financial impact on the public transportation organization was substantial, with estimated damages reaching £29 million ($38.3 million). **Paul Foster**, Deputy Director at the **NCA**, emphasized the attack's gravity: “The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers.” Foster also urged other organizations to engage with law enforcement early in such circumstances, highlighting **TfL**'s proactive cooperation. ### Evidence and Broader Connections Investigators seized multiple devices from **Flowers**' home, uncovering a laptop with a screenshot showing connectivity to **TfL** infrastructure, evidence of access to a marketplace selling stolen credentials, and videos depicting **Jubair** breaching **TfL** systems. The hackers communicated using Telegram and a shared online collaboration platform during the intrusion. Beyond **TfL**, authorities have also linked **Flowers** to intrusions against American healthcare organizations, including **SSM Health Care Corporation** and **Sutter Health**, indicating a broader pattern of cybercriminal activity. Originally scheduled for trial on June 22, the sentencing for **Jubair** and **Flowers** has been rescheduled for July 16 following their guilty pleas.