4 min read

TfL hackers get 5.5 years each in landmark UK case

Two Scattered Spider members were sentenced over the 2024 TfL cyberattack, a case the NCA called the UK’s largest cybercrime prosecution.

Image: The Register

Two British members of Scattered Spider have each been sentenced to five years and six months in prison for the 2024 cyberattack on Transport for London. Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty in June, receiving a 15 percent reduction in their sentences, and were sentenced on Thursday at Woolwich Crown Court.

Mr Justice Turner said the pair’s age and immaturity were relevant, but so were the sophistication of the attack, the scale of the impact on TfL, and the planning involved. He also noted the defendants' neurodiversity and said the sentence was the most lenient one that still reflected the seriousness of the offenses.

The case is only the second conviction under Section 3ZA of the Computer Misuse Act 1990, a provision reserved for the most serious computer misuse offenses. The National Crime Agency said it was the largest cybercrime prosecution ever brought before the UK courts.

Recommended reading

AI won’t replace penetration testers just yet

“This is the largest cybercrime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, CPS, and our policing partners.” “Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice.”

Paul Foster, Deputy Director and head of the NCA’s National Cyber Crime Unit

How the TfL attack happened

According to the court, Flowers and Jubair bought partial TfL credentials from criminal forums, then used them to reset 2FA on employee accounts. They also impersonated an employee and socially engineered a TfL helpdesk worker into resetting a password.

The pair accessed the network on August 31, 2024, and kept that access until September 3. During that time, they worked to raise their privileges and reach internal systems, including databases that were initially thought to expose data on about 5,000 people. It later emerged that the attackers had actually accessed data belonging to around 7 million users.

The transport network itself saw limited real-world disruption, but several digital services were hit. TfL could not issue photo travel cards until December 4, 2024; some ticket machines malfunctioned; customer logins, portals, and third-party apps were affected; and contactless users could not view journey histories online. Remediation costs reached £29 million ($39 million).

“We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now been sentenced.” “The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL.”

Andy Lord, London’s Transport Commissioner

Evidence, prior offenses, and wider implications

Investigators said the stronger evidentiary haul came from Flowers' arrest on September 6, 2024, at his home in Walsall. Officers seized laptops, desktop computers, and USB storage devices. Forensic analysis of an Acer laptop linked him to the remote infrastructure and virtual machines used in the attack.

Police also found videos and screenshots made by Flowers showing the attack in progress. The court heard the pair livestreamed the 16-hour attack online. Investigators tied infrastructure payments to a cryptocurrency account found on Flowers' computer, then linked that same account to food deliveries sent to his home address.

The same machine contained partial TfL employee credentials, evidence linked to attacks on SSM Health Care Corporation and Sutter Health, and artifacts connecting the activity to Jubair. Chat logs and booking details helped investigators tie an alias to Jubair, while both men were linked to a cloud storage account containing TfL data.

Owen Flowers. Image courtesy of the National Crime Agency
Owen Flowers. Image courtesy of the National Crime Agency

Flowers had already been known to UK law enforcement and had previously been warned, offered training, and given guidance on Computer Misuse Act offenses. The NCA said he breached bail conditions twice in October 2024 and again in May 2025.

Jubair was also already known to police, including for a 2023 conviction tied to the Lapsus$ group. In the UK, he has 22 previous convictions, including 13 for fraud and one for blackmail. He also faces US charges unsealed in September 2025, accusing him of compromising 120 networks across 47 US entities between May 2022 and September 2025, leading to more than $115 million in ransom payments.

Thalha Jubair. Image courtesy of the National Crime Agency
Thalha Jubair. Image courtesy of the National Crime Agency

NCA officials used the case to argue for proposed Cyber Crime Risk Orders, saying current powers leave a gap when dealing with under-18 cyber offenders. Foster said such orders could have allowed police to arrest Flowers sooner and impose restrictions while investigations were still ongoing.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via The Register

// Keep reading