Teen Hackers Behind TfL Attack Sentenced: A Deep Dive into Scattered Spider's Tactics and Legal Precedent
Two individuals, **Owen Flowers** and **Thalha Jubair**, have been sentenced to five and a half years each for their roles in the 2024 cyberattack on **Transport for London (TfL)**. The intrusion caused significant disruption and incurred recovery costs estimated at Β£29 million, marking a landmark prosecution under the UK's Computer Misuse Act.
# UK Courts Deliver Landmark Sentences in TfL Cyberattack
**Owen Flowers**, 18, and **Thalha Jubair**, 20, have been handed five-and-a-half-year sentences at Woolwich Crown Court following their involvement in the 2024 cyberattack against **Transport for London (TfL)**. The attack, which left 148 TfL systems inoperable, forced all 27,000 employees to undergo in-person password resets, leading to an estimated Β£29 million in losses and recovery costs, according to both the **National Crime Agency (NCA)** and the **Crown Prosecution Service (CPS)**.

## A Precedent-Setting Conviction
Both individuals pleaded guilty on June 22, 2026, the day their trial was slated to commence. They admitted to charges under Section 3ZA of the **Computer Misuse Act 1990**, the most severe provision of the Act, acknowledging their recklessness in causing or risking serious damage to human welfare. The CPS believes Flowers and Jubair are the first hackers successfully prosecuted under this specific section, while the NCA identifies it as only the second prosecution of its kind.
This case is being hailed by the NCA as the largest cybercrime prosecution ever seen in UK courts.
## The Impact of the TfL Intrusion
The intrusion, active from August 31 to September 3, 2024, significantly disrupted TfL, which manages an average of 9 million journeys daily. Services like Dial-a-Ride, the booking service for vulnerable Londoners, went offline. Digital payment channels and the issuance of concessionary travel cards were also affected. Applications for Oyster photocards, offering discounted fares for young people, were suspended, and contactless ticketing extensions and refunds experienced delays.
TfL informed customers that names, email addresses, and in some cases, home addresses had been accessed. Approximately 5,000 individuals' Oyster refund data, including bank account numbers and sort codes, may also have been compromised.
While the attackers' ultimate intent remains unclear, their communications suggested they might wipe access upon exiting the systems. The NCA estimates a complete network shutdown could have cost the UK economy up to Β£56 billion, a hypothetical scenario averted only because TfL proactively took its network offline for containment.
## Arrests and Further Allegations
**Flowers** was arrested on September 6, 2024, just three days after the TfL incident concluded. At the time of his arrest, NCA officers found him mid-attack on two US healthcare organizations: **SSM Health Care Corporation** and **Sutter Health**.
Investigators seized multiple devices, including laptops, tower computers, hard drives, and USB sticks. One laptop contained a screenshot of network connectivity to TfL infrastructure and videos of **Jubair** navigating TfL systems during the attack. The pair used Telegram for communication and shared an online workspace.
Evidence confirmed Flowers' connection to the remote server used for all three intrusions, with his devices linking him directly to each. Information tying Jubair to the TfL attack was obtained internationally through prosecutorial assistance.
Flowers also admitted to two additional counts related to the healthcare attacks: a conspiracy against SSM Health and an attempted attack against Sutter Health. Prosecutors revealed that he threatened to lock down these systems, acknowledging in chats that it "might kill some 90-year-old on life support." His arrest prevented these further attacks.
Both men are described by the NCA as leading members of **Scattered Spider**, an extortion group also known as **Octo Tempest**, **UNC3944**, and **0ktapus**. The CPS adopted a more cautious stance, stating that the defendants claimed membership in a group believed responsible for hundreds of attacks between 2022 and 2025. The **FBI**, cited by the NCA, connects the group to data extortion, SIM swapping, and social engineering.
## Jubair's Pending US Case
A complaint unsealed in New Jersey in September 2025 accuses **Jubair** of computer fraud, wire fraud, and money laundering conspiracies. This complaint links him to approximately 120 network intrusions and at least 47 US victims between May 2022 and September 2025, with over $115 million reportedly paid in ransoms. Prosecutors also allege his involvement in intrusions at a US critical infrastructure company and the US Courts, and that he moved about $8.4 million in cryptocurrency from a server wallet during its seizure. These remain allegations, yet to be tested in court. The maximum potential sentence across all counts is 95 years; neither the DOJ's announcement nor the UK releases address extradition.
## The Future of Scattered Spider
The NCA asserts that the arrests of **Flowers** and **Jubair** effectively halted **Scattered Spider's** operations, citing **Microsoft's** assessment that the arrests significantly degraded the group's capabilities. However, the NCA acknowledges that other criminals might continue to use the group's branding.
The tactics employed by **Scattered Spider** are not unique. In January, **Mandiant** observed an expansion of **ShinyHunters-branded extortion** utilizing similar social engineering techniques: vishing calls to employees, victim-branded credential harvesting pages to capture SSO logins and MFA codes, followed by the attacker enrolling their own device for MFA.
**Google's** hardening guidance, stemming from the same research, emphasizes a crucial fix: robust identity verification for password resets, device enrollment, and MFA changes. These are the manual workflows that such crews exploit through social engineering.
Paul Foster, head of the NCA's National Cyber Crime Unit, urged early engagement with law enforcement, stating that these convictions might not have occurred without TfL's prompt action.
In the wake of the sentencing, the **City of London Police** advocated for **Cyber Crime Risk Orders**, a power they currently lack. Commander Ollie Shaw described these orders as a "digital prison" for offenders, allowing courts to restrict an individual's devices, online services, and technologies proportionally to the risk they pose. For now, the legal toolkit relies on traditional prison terms, which have now been applied to two individuals who were still teenagers at the time of their offenses.