UK authorities have arrested two teenagers suspected of involvement in the August 2024 cyberattack on London’s Transport for London (TfL). The arrests stem from an international investigation linked to the notorious hacking collective Scattered Spider, infamous for its targeted assaults on major organizations through social engineering and ransomware campaigns.
The National Crime Agency (NCA) confirmed the suspects as 19-year-old Talha Jubair (also known by the aliases EarthtoStar, Brad, Austin, and @autistic) from East London, and 18-year-old Owen Flowers from Walsall, West Midlands. Both were taken into custody at their residences on 17 September 2025.
Flowers had previously been arrested in connection with the TfL breach in September 2024 but was released on bail. He now faces formal charges of conspiracy to gain unauthorized access to and damage networks belonging to two U.S. healthcare providers: SSM Health Care Corporation and Sutter Health. Evidence seized during searches revealed his involvement in additional U.S. cyberattacks, particularly targeting the healthcare sector.
Jubair, in turn, has been charged under the UK’s Regulation of Investigatory Powers Act (RIPA) 2000 for refusing to disclose PIN codes and passwords to devices seized during a search on 19 March 2025.
According to Paul Foster, head of the NCA’s National Cyber Crime Unit, the attack inflicted “significant damage” on TfL, resulting in millions of pounds in losses and posing a direct threat to the UK’s critical national infrastructure. He emphasized that earlier in 2025, the agency had already warned of heightened activity from English-speaking hackers, with Scattered Spider being particularly prominent.
In parallel, the U.S. Department of Justice (DoJ) unsealed an indictment against Jubair, accusing him of participating in at least 120 network intrusions and extorting 47 American organizations between May 2022 and September 2025. The indictment details how the group used social engineering to gain access to corporate systems, exfiltrate data, encrypt files, and then demand ransom both for decryption and for withholding the stolen information.
U.S. authorities estimate that victims collectively paid at least $115 million in ransom. Targets included critical infrastructure and even the federal judiciary, which suffered breaches in October 2024 and January 2025.
In July 2024, investigators seized cryptocurrency wallets on a server allegedly controlled by Jubair, containing assets worth approximately $36 million. Records also show that he transferred $8.4 million from one attack to another wallet, likely in an effort to obscure the trail.
Jubair now faces six charges, including conspiracy to commit computer fraud, two counts of unauthorized access, conspiracy to commit wire fraud, and money laundering. If convicted, he could face up to 95 years in prison.
As Acting U.S. Attorney for the District of New Jersey Alina Habba remarked, Jubair “went to great lengths to preserve his anonymity, while he and his co-conspirators continued to attack organizations and extort tens of millions of dollars.”