Two Scattered Spider Members Admit the Transport for London Hack
A city transit system rarely sits at the center of a criminal trial. Yet the attack on Transport for London (TfL) caused months of disruption, hit millions of passengers, and ended in guilty pleas from two young men.
The Guilty Pleas
At Woolwich Crown Court, 20-year-old Thalha Jubair from East London and 18-year-old Owen Flowers from Walsall pleaded guilty over the TfL cyberattack. Both had been due to stand trial on June 22. However, they changed their pleas on the first day of proceedings. Each admitted conspiring to commit unauthorized acts against the transit operator’s systems under the Computer Misuse Act.
The Attack and Its Impact
The attack ran between August 31 and September 3, 2024. According to TfL, it disrupted services for weeks. The BBC reported that the incident affected 10 million customers. The operator put the loss and recovery cost at around £29 million.
The breach did not hit train movement directly. Instead, it struck TfL’s digital services. Online systems ran intermittently, and some information boards went offline. Customers could not get quick Oyster refunds, and the Oyster photocard service for children and young people was temporarily closed. TfL also told customers that some personal data had been accessed. After the compromise, all 28,000 employees had to attend an office in person to reset their passwords.
Linked to Scattered Spider
The National Crime Agency believes the summer 2024 intrusion connects to the online group Scattered Spider. The same group has been tied to earlier attacks on Jaguar Land Rover and retail chains, including Marks and Spencer. Scattered Spider is a loose network of mostly English-speaking cybercriminals. U.S. prosecutors say the wider group extorted at least $115 million from victims over three years.
The Evidence
Jubair and Flowers were arrested at home on September 16, 2025, in a joint NCA and City of London Police investigation. From Flowers, officers seized laptops, desktops, hard drives, and USB drives. One laptop held a screenshot showing a connection to TfL infrastructure. Videos, according to investigators, showed Jubair accessing the operator’s systems during the attack. The pair also communicated through Telegram and a shared online workspace.
Separately, Flowers admitted attempts to breach the U.S. healthcare organizations Sutter Health and SSM Health Care Corporation. Investigators also found that he had accessed an online tool where stolen credentials were sold.
What Happens Next
The pair are due to be sentenced on July 16. TfL says it continues to monitor its systems, restrict access to authorized users only, and take steps to protect its infrastructure and customer data.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
