Two young men identified by British investigators as senior figures in the Scattered Spider cybercrime group have been sentenced to five years and six months in prison for breaking into Transport for London’s systems in 2024.
Thalha Jubair, 20, of East London, and Owen Flowers, 18, from Walsall, were sentenced Thursday at Woolwich Crown Court. Both pleaded guilty last month to offences under Section 3ZA of the Computer Misuse Act, the United Kingdom’s most serious computer misuse charge.
The case closed what British authorities described as the largest cybercrime prosecution ever brought before a U.K. court. The offence covers unauthorised computer activity that causes, or risks causing, serious damage to critical infrastructure or public welfare. It carries a maximum sentence of life imprisonment.
Transport for London avoided a shutdown of the capital’s transport network, according to investigators, but the intrusion still hit public services, exposed customer data and cost the authority £29 million in recovery work.
The operational mess was not abstract. All 27,000 TfL employees had to attend offices for in-person password resets. Investigators said 148 internal systems became unavailable, including operational platforms that then required manual workarounds. TfL’s Oyster refund system was also affected, delaying some passenger refunds, and applications for child and young-person Oyster photocards were temporarily suspended.
The National Crime Agency said the damage could have been far worse. If the attackers had managed to disable London’s transport network, the agency estimated the economic impact could have reached £56 billion.
How investigators tied the pair to the attack
The National Crime Agency said Jubair and Flowers were part of Scattered Spider, a loosely organised English-speaking cybercrime network linked to intrusions at organisations in the U.K. and United States. Authorities say the group has targeted airlines, retailers, insurers and technology companies, often using social engineering, SIM-swapping and stolen credentials before moving to ransomware or extortion.
Flowers was first arrested in September 2024. Investigators said he was at the time also compromising systems belonging to U.S. healthcare providers SSM Health Care Corporation and Sutter Health. Searches of his home found laptops, desktop computers, external drives and USB devices, according to authorities.
One laptop contained a screenshot showing connectivity to TfL infrastructure, investigators said. They also recovered videos allegedly made by Flowers that showed Jubair accessing TfL systems during the intrusion. Authorities said the pair coordinated through Telegram and an online collaborative workspace.
Flowers was later arrested again after breaching bail conditions related to device-use restrictions. Jubair also faced an additional charge after refusing to provide passwords and PINs for seized devices.
Police press for post-release tech restrictions
Paul Foster, deputy director of the NCA’s National Cyber Crime Unit, said Scattered Spider had been “the most significant cybercrime threat to the U.K. in recent years” and that the investigation had “severely disrupted” the group. The agency said Microsoft’s independent analysis supported that view, concluding that the arrests materially reduced Scattered Spider’s ability to keep operating.
Commander Ollie Shaw of the City of London Police used the sentencing to support proposed Cyber Crime Risk Orders. Those orders would let courts restrict convicted cyber offenders’ access to devices, online services or technologies after release. Shaw described the idea as a “digital prison” intended to cut reoffending while allowing rehabilitation.
Security Minister Angela Eagle said the case showed the risk cybercriminals pose to the British economy and national infrastructure. London Transport Commissioner Andy Lord welcomed the sentencing and thanked investigators and TfL staff involved in the response.
The investigation was run jointly by the National Crime Agency and City of London Police, with support from the West Midlands Regional Organised Crime Unit, British Transport Police and international partners including the FBI.
Jubair and Flowers were also arrested last July on suspicion of involvement in ransomware attacks against Marks & Spencer, the Co-op and Harrods. Authorities have not charged any suspects in those cases.
This story draws on original reporting from The Record.