Two Scattered Spider Members Jailed in UK's Largest Ever Cybercrime Prosecution
Thalha Jubair and Owen Flowers each received five and a half years in prison for a 2024 attack on Transport for London that cost the city £29 million.

Key points
- Thalha Jubair, 20, and Owen Flowers, 18, were each sentenced to five years and six months in prison on Thursday in the UK.
- Their 2024 cyberattack on Transport for London cost the public transport authority £29 million (roughly $39 million) to clean up.
- UK officials called it "the largest cybercrime prosecution ever brought before the UK courts".
- Microsoft confirmed to the UK's National Crime Agency, or NCA, that the arrests materially reduced Scattered Spider's ability to operate.
- A fourth alleged member, 19-year-old Peter Stokes, was recently extradited to the United States to face separate charges.
Two young British men belonging to the cybercrime collective known as Scattered Spider were jailed on Thursday after a judge handed each of them five years and six months in prison. Thalha Jubair, 20, and Owen Flowers, 18, had pleaded guilty when their trial opened in June, reversing earlier not-guilty pleas.
Scattered Spider is a loosely organised criminal group, operating largely through online chat platforms, that specialises in tricking company employees into handing over login details. They then use those details to break into corporate systems and cause as much disruption as possible, sometimes demanding payment to stop.
The pair were convicted over a 2024 attack on Transport for London, the public body that runs the capital's buses, underground trains and other transit services. The breach forced TfL to shut down systems used by staff and customers alike, disrupting services and triggering a months-long recovery effort that ultimately cost £29 million.
Both men were arrested in September 2025. The NCA described the case as "the largest cybercrime prosecution ever brought before the UK courts".
Should Londoners who use TfL be worried?
The immediate threat from this specific attack is over. TfL has had more than a year to rebuild its systems since the breach, and the two people convicted of carrying it out are now behind bars. That said, if you used TfL services in late 2024, it is worth checking whether you received any notification from TfL about your personal data, and keeping an eye on your bank statements and email for anything unusual.
The NCA noted in a statement that, although other criminals may still use the Scattered Spider name, Thursday's sentences "effectively halted the group's criminal activity". Microsoft independently confirmed to the agency that the arrests measurably degraded the group's ability to keep operating.
That assessment comes with a caveat. Despite several arrests in 2025, hackers using the Scattered Spider name continued claiming attacks into early 2026. No new attacks have been publicly linked to the group in recent months.
Prosecutions of other suspected members are continuing on both sides of the Atlantic. Tyler Buchanan, a British national believed to be part of the group, pleaded guilty in a US court in April, as first reported by SecurityWeek. Peter Stokes, a 19-year-old holding dual US-Estonian nationality, was recently extradited to the United States to face charges there.



