CYBERCRIME & LAW

Two Scattered Spider Teenagers Get 5.5 Years Each for the £29 Million TfL Hack

Owen Flowers and Thalha Jubair were sentenced to five and a half years each for the 2024 Transport for London breach that knocked out 148 systems and forced 27,000 staff into offices for in-person password resets.

Matt Lucas  |  July 16, 2026  |  6 min
£29M
TfL losses and recovery
148
TfL systems downed
27,000
staff reset in person
5.5 yrs
sentence each
TL;DR
  • What: Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to 5.5 years at Woolwich Crown Court on 16 July 2026 for the 2024 hack of Transport for London.
  • Impact: The intrusion knocked out 148 TfL systems, forced all 27,000 employees to reset passwords in person, exposed customer data plus bank details for ~5,000 people, and cost £29 million.
  • Fix / mitigation: Google's hardening guidance ties the fix to verifying identity on the manual workflows these crews exploit: password resets, device enrollment, and MFA changes.
  • Who's at risk: Any organization whose help desk and identity workflows can be talked through by a caller, particularly large employers with sprawling legacy systems and third-party access.

They were 17 and 18 when they did it. On Thursday, 16 July 2026, Owen Flowers, now 18, and Thalha Jubair, now 20, were each sentenced to five and a half years at Woolwich Crown Court for the 2024 hack of Transport for London. The National Crime Agency calls it the biggest cybercrime prosecution the UK courts have seen. The attack left 148 TfL systems inoperable and forced all 27,000 of the authority's employees into an office to get their passwords reset in person. Both the NCA and the Crown Prosecution Service put TfL's losses and recovery costs at £29 million.

The intrusion ran from 31 August to 3 September 2024, against an organization that oversees an average of 9 million journeys a day. Dial-a-Ride, the booking service that moves vulnerable Londoners around the city, went down. So did the digital payments channel and the issuing of concessionary travel cards. Applications closed for Oyster photocards, the discounted fare cards for London's children and young people. The extension of contactless ticketing slipped, and refunds crawled. TfL told customers that names, email addresses, and home addresses had been accessed. Oyster refund data may have gone too, including bank account numbers and sort codes for around 5,000 people.

A legal first, and a very large hypothetical

Both men pleaded guilty on 22 June 2026, the day their trial was due to start. The charge was Section 3ZA of the Computer Misuse Act 1990, the Act's most serious. They admitted it on the basis that they were reckless as to whether they caused or created a significant risk of serious damage to human welfare. The CPS says Flowers and Jubair are believed to be the first hackers successfully prosecuted under Section 3ZA; the NCA counts it as only the second prosecution of its kind. Neither agency explains the gap between the two counts, though the readings can sit together, one counting prosecutions brought and the other counting convictions won.

The case's biggest number never happened. The NCA says a successful shutdown of the network could have cost the UK economy up to £56 billion, with the CPS putting the same hypothetical at billions. It stayed hypothetical, the CPS says, because TfL pulled its own network down to contain the intruders. Only the two of them knew what they meant to do, prosecutors say, though their chats suggested they would wipe the access on the way out.

The arrest is what stopped him

Flowers was arrested at home on 6 September 2024, three days after the TfL intrusion ended. The NCA says officers found him mid-attack on two US healthcare organizations, SSM Health Care Corporation and Sutter Health. Flowers admitted a conspiracy against SSM Health and an attempt against Sutter Health. The CPS says he threatened to lock those systems down while acknowledging in chats that it "might kill some 90-year-old on life support."

The evidence, and the brand

The forensics were unusually concrete. Investigators seized laptops, tower computers, hard drives, and USB sticks. One laptop held a screenshot of network connectivity to TfL infrastructure, plus videos Flowers had recorded of Jubair moving through TfL systems during the attack. The pair were messaging on Telegram while it happened and sharing an online workspace. Prosecutors proved Flowers had been connected to the remote server used to launch all three intrusions, and his own devices linked him to all three. The information linking Jubair to TfL was uncovered overseas, obtained with help from prosecutors there.

The NCA describes both men as leading members of Scattered Spider, the extortion crew also tracked as Octo Tempest, UNC3944, and 0ktapus. The CPS is more careful, saying the defendants claimed at various points to be members of a group that prosecutors believe carried out hundreds of attacks between 2022 and 2025. The FBI, quoted in the NCA's announcement, ties the group to data extortion, SIM swapping, and social engineering. Jubair's other case is still open: a complaint unsealed in New Jersey in September 2025 accuses him of computer fraud, wire fraud, and money laundering conspiracies, putting the scheme at roughly 120 network intrusions and at least 47 US victims between May 2022 and September 2025, with more than $115 million paid in ransoms. Those are allegations, untested in court. Neither the DOJ nor Thursday's UK releases address extradition.

The RedEye take

Strip away the £56 billion headline and the story is smaller and sharper than the coverage suggests: two teenagers reached the core of a national transport authority, and the thing that saved London from the worst case was TfL's own decision to pull the plug on itself. That is not a win for controls. It is a win for a hard, expensive, manual containment call made under pressure. The NCA and Microsoft say the arrests materially degraded Scattered Spider, and that may be true, but both also concede the brand has life left in it and that other criminals may keep using the name. Arresting two named individuals does not patch the technique. The technique was people talking their way through identity workflows, and that is still fully operational everywhere. Treat this sentencing as a data point about consequences, not as a signal that the threat receded.

There is one number worth sitting with. These two were 17 and 18 when they did it, and the toolkit the state brought to bear is what it always was: a prison term. City of London Police used the sentencing to lobby for Cyber Crime Risk Orders, a power to restrict an offender's devices and services that they do not yet have. Until that changes, deterrence is retrospective. Your defense cannot be.

What defenders should learn

Source

Reporting drawn from The Hacker News, "Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack" by Swati Khandelwal, 16 July 2026, citing the NCA, the CPS, the FBI, DOJ filings, Mandiant, Microsoft, and Google.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us