Two Scattered Spider hackers get 5.5 years each for crippling London's transport network
Thalha Jubair and Owen Flowers pleaded guilty to the August 2024 attack on Transport for London, which cost the agency £29 million and briefly threatened chaos for 8.4 million passengers.

Key points
- Thalha Jubair, 20, and Owen Flowers, 18, were each sentenced to five years and six months in prison for hacking Transport for London in August 2024.
- Transport for London reported £29 million in losses and recovery costs, and had to force all 27,000 staff to reset their passwords in person.
- UK officials estimated the broader economy could have lost up to £56 billion had the attackers succeeded in shutting the network down.
- Jubair was separately charged in the United States in September 2025 over at least 120 network break-ins and more than $115 million in extortion payments.
- Both belong to Scattered Spider, a young English-speaking crew that the National Crime Agency now calls the UK's most significant cybercrime threat.
Two young men who broke into the computer systems of Transport for London (TfL), the agency that runs the Tube, buses and Dial-a-Ride service for more than 8.4 million Londoners, were sent to prison this week for five and a half years each.
Thalha Jubair, 20, and Owen Flowers, 18, are members of Scattered Spider. That is the loose crew of mostly English-speaking teenagers and twenty-somethings that has spent the last two years tormenting airlines, casinos, retailers and hospitals on both sides of the Atlantic.
The pair pleaded guilty last month under the UK's Computer Misuse Act, the country's main anti-hacking law. Both were sentenced this week, as first reported by BleepingComputer.
How bad was the TfL hack, really?
Bad enough that the entire staff had to queue up in person to change their passwords. All 27,000 of them.
TfL disclosed the break-in on 2 September 2024, roughly a fortnight after it began. The attack knocked 148 internal systems offline and disrupted Dial-a-Ride bookings, concessionary travel cards for older and disabled passengers, refund processing and the rollout of new contactless ticketing.
On 12 September, TfL admitted the hackers had also walked out with customer data, including names, home addresses and contact details.
Four days later, officers from the City of London Police and the National Crime Agency (NCA) knocked on the doors of Jubair and Flowers and arrested them.
TfL says the incident cost it £29 million in direct losses and recovery. UK officials went further, warning that if the criminals had actually managed to bring London's transport network to a standstill, the knock-on damage to the wider economy could have reached £56 billion.
What should ordinary passengers do?
If you used TfL services before September 2024, assume your name, address and contact details are in someone's stolen database somewhere. That means being extra suspicious of unexpected emails, texts or phone calls claiming to be from TfL, your bank, or delivery firms. Real organisations do not ask you to hand over passwords or move money over the phone.
There is no evidence bank card details or Oyster balances were drained. But phishing, where criminals send fake messages designed to trick you into typing your password into a lookalike website, tends to spike after a breach like this.
A bigger case behind the London one
Investigators say Flowers was also mid-attack against two US hospital groups, Sutter Health and SSM Health Care Corporation, when he was picked up. Devices seized at his home contained evidence of the TfL job.
Jubair's story is larger still. In September 2025, the US Department of Justice charged him with conspiracy to commit computer fraud, wire fraud and money laundering, tied to at least 120 network break-ins between May 2022 and September 2025. Prosecutors say he and his co-conspirators extorted more than $115 million from victims worldwide in a single year.
NCA Deputy Director Paul Foster called Scattered Spider "the most significant cybercrime threat to the UK in recent years" and thanked TfL for calling the police early. "These convictions would likely not have been possible had Transport for London not engaged with law enforcement early," he said.
Four more suspected members of the group were arrested by the NCA in July 2025 over attacks on Harrods, Marks & Spencer and the Co-op.
The crew is not finished. But two of its more prolific members will spend the next several years somewhere with very poor Wi-Fi.



