TfL Hackers Sentenced: Owen Flowers and Thalha Jubair Receive Five and a Half Years for Major Transport for London Cyberattack
Two young hackers, Owen Flowers, 18, and Thalha Jubair, 20, have been sentenced to five and a half years in prison each for their role in a significant cyberattack on Transport for London (TfL) in 2024. The attack disrupted 148 TfL systems, forcing all 27,000 employees to reset passwords in person, and incurred estimated losses and recovery costs of £29 million. This landmark prosecution, brought under Section 3ZA of the Computer Misuse Act 1990, marks one of the most serious cybercrime cases to reach UK courts.
The sentencing took place at Woolwich Crown Court on July 16, 2026, following guilty pleas entered by Flowers and Jubair on June 22, 2026, the morning their trial was scheduled to commence. Both admitted to acting recklessly, creating a significant risk of serious damage to human welfare. The Crown Prosecution Service (CPS) stated that Flowers and Jubair are believed to be the first individuals successfully prosecuted under this specific section of the Act, with the National Crime Agency (NCA) confirming it as only the second conviction of its kind.
TfL Cyberattack Aftermath and Financial Impact
The intrusion, which occurred between August 31 and September 3, 2024, severely impacted TfL’s operations, affecting an organisation that handles approximately 9 million journeys daily. Services such as Dial-a-Ride, essential for vulnerable Londoners, the digital payments channel, and the issuance of concessionary travel cards were rendered inoperable. The attack also led to the closure of applications for Oyster photocards, a crucial fare card for young Londoners, and caused delays in contactless ticketing extensions and refund processing.
Customers were informed that their names and email addresses, along with home addresses where available, had been accessed. Additionally, Oyster refund data, potentially including bank account numbers and sort codes for around 5,000 individuals, may have been compromised.
While the ultimate intentions of Flowers and Jubair regarding the accessed data remain speculative, their communications suggested a plan to wipe their access upon exit. The potential ramifications of a successful network shutdown were immense. The NCA estimated that such an event could have cost the UK economy up to £56 billion, with the CPS also highlighting hypothetical billions in damages. These catastrophic outcomes were averted because TfL proactively took its network offline to contain the intrusion, according to the CPS.
Arrests and Links to Scattered Spider
Owen Flowers was arrested at his home on September 6, 2024, just three days after the TfL hack concluded. The NCA reported that officers discovered Flowers actively engaged in attacks against two U.S. healthcare organisations: SSM Health Care Corporation and Sutter Health. Seized devices included laptops, computers, hard drives, and USB sticks. Crucially, one laptop contained a screenshot of network connectivity to TfL’s infrastructure and videos recorded by Flowers depicting Jubair navigating TfL systems during the attack. The pair communicated via Telegram and shared an online workspace throughout the intrusions.
Prosecutors established Flowers’ connection to the remote server used for all three intrusions, with his own devices corroborating his involvement. Evidence linking Jubair to the TfL attack was obtained from overseas through international cooperation. Flowers also admitted to two additional charges related to the healthcare attacks: conspiracy against SSM Health and attempted intrusion against Sutter Health. The CPS noted that Flowers’ chats indicated awareness of potential fatalities, mentioning that locking down those systems “might kill some 90-year-old on life support.” His arrest prevented further escalation.
Both men are identified by the NCA as leading figures within the cybercrime collective known as Scattered Spider, also tracked under aliases such as Octo Tempest, UNC3944, and 0ktapus. The CPS, while acknowledging the defendants’ claims of affiliation, stated that the group is believed to have conducted hundreds of attacks between 2022 and 2025. The FBI has linked Scattered Spider to data extortion, SIM swapping, and sophisticated social engineering tactics.
Jubair’s Ongoing Legal Battles
Separately, Thalha Jubair faces additional charges in the United States. A complaint unsealed in New Jersey in September 2025 accuses him of conspiracies involving computer fraud, wire fraud, and money laundering. This alleged scheme involved approximately 120 network intrusions and at least 47 U.S. victims between May 2022 and September 2025, resulting in over $115 million in ransoms paid. Prosecutors also allege Jubair’s involvement in intrusions at a U.S. critical infrastructure company and U.S. courts. Furthermore, he is accused of moving approximately $8.4 million in cryptocurrency from a server wallet while agents were in the process of seizing it.
These allegations are currently untested in court, with the maximum potential sentence across all counts being 95 years. Neither the U.S. Department of Justice’s announcement nor the UK’s sentencing releases have addressed extradition proceedings.
Future of Scattered Spider and Cybercrime Prevention
The NCA stated that its actions against Flowers and Jubair have effectively disrupted Scattered Spider’s operations, citing Microsoft’s assessment that the arrests significantly degraded the group’s capabilities. However, the agency acknowledged that other criminal elements may continue to use the Scattered Spider brand. The modus operandi of social engineering, including vishing calls and sophisticated credential harvesting, continues to be employed by other groups, such as ShinyHunters.
Details on how Flowers and Jubair initially infiltrated TfL’s systems have not been fully disclosed. However, cybersecurity best practices emphasize identity verification during password resets, device enrollment, and Multi-Factor Authentication (MFA) changes—processes that cybercriminals often exploit through social engineering. Paul Foster, head of the NCA’s National Cyber Crime Unit, stressed the importance of early reporting to law enforcement, suggesting that these convictions might not have occurred without TfL’s timely notification.
In the wake of these convictions, the City of London Police has reiterated its call for enhanced legal tools, specifically Cyber Crime Risk Orders. These orders would empower courts to restrict an individual’s access to devices, online services, and technologies commensurate with the risk they pose, effectively creating a “digital prison” for offenders. For now, the primary response remains custodial sentences, highlighting the severe consequences of large-scale cybercrime, even for individuals who were minors at the time of their offenses.

