Two Scattered Spider hackers plead guilty over Transport for London cyberattack
Two members of the notorious hacker group Scattered Spider have pleaded guilty to charges related to a 2024 cyberattack on Transport for London (TfL) that resulted in £29 million in loss and recovery costs.
Thalha Jubair, 20, from London, and Owen Flowers, 18, from Walsall, pleaded guilty at a court hearing in London to offences under the UK’s Computer Misuse Act and will be sentenced on July 16.
TfL, the public body responsible for much of the capital’s transport network, handles up to 5 million passenger journeys a day on the London Underground alone.
The attack targeted TfL’s computer network between 31 August and 3 September 2024.
“Data from TfL’s Oyster refunds system was accessed and the incident also affected TfL’s customer refund system, leaving some out of pocket for much longer than usual. It also closed down the application system for Oyster photocards for children and young people,” the National Crime Agency (NCA) said.
Following the compromise of its network, TfL required all 28,000 employees to attend an office in person to reset their passwords.
Jubair and Flowers were arrested at their home addresses on 16 September 2025 by officers from the NCA and the City of London Police. Flowers was first arrested on September 6, 2024, as part of the TfL investigation.
Investigators uncovered evidence linking Flowers to intrusions targeting U.S. healthcare providers SSM Health and Sutter Health. Officers seized several devices from his home, including laptops, desktop computers, hard drives and USB storage devices.
One laptop contained a screenshot showing connectivity to TfL infrastructure, while another contained videos recorded by Flowers that showed Jubair accessing TfL systems during the attack. The evidence showed the pair communicating via Telegram and an online collaboration platform used to share access and information.
Flowers later breached his bail conditions on two occasions in 2025.
“This has been a lengthy, highly complex and painstaking investigation,” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit.
“Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public.
“The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers,” Foster added.
“Those who target critical organisations, cause substantial financial harm, and disrupt the daily lives of the public will not do so without consequence,” noted Deputy Commissioner Nik Adams of the City of London Police.