The 2 British Scattered Spider members collared for finishing up the 2024 cyberattack on Transport for London (TfL) will every spend 5 and a half years in jail after being sentenced on Thursday.
Owen Flowers, 18, and Thalha Jubair, 20, have been sentenced to 5 years and 6 months’ imprisonment every, having pleaded responsible in June, in flip receiving a 15 % discount of their sentences.
Sentencing the pair at Woolwich Crown Court docket, Mr Justice Turner famous each cybercriminals’ immaturity, however acknowledged the sophistication of the offending, the size of the affect on TfL, the numerous planning behind the assault, and that each knew the criminality of their actions.
Mr Justice Turner additional famous the age hole between the pair, and that the one yr and 4 months Jubair has on Flowers “marks a probably important distinction in maturity.”
The decide additionally acknowledged each defendants’ neurodiversity in passing the sentence, which he stated was probably the most lenient, whereas nonetheless reflecting the seriousness of their offenses.
Flowers and Jubair have been described by authorities as members of Scattered Spider, the loosely related group of English-speaking particular person cybercriminals considered largely younger males aged 16-25.
Scattered Spider has been one of the crucial outstanding cybercrime teams of the previous few years, claiming duty for main assaults reminiscent of these on MGM Resorts in 2023 and the assaults on British retail giants in 2025.
The Nationwide Crime Company (NCA) stated the group introduced probably the most important cyber menace to the UK, and right this moment’s sentencing closes the e book on the largest prosecution of cyber offenders in UK historical past.
NCA officers have regularly refused to touch upon whether or not Flowers or Jubair have been linked in any approach to different main assaults claimed by Scattered Spider.
The sentencing marks solely the second conviction underneath Part 3ZA of the Pc Misuse Act 1990 (CMA) – reserved for probably the most critical offenses.
Part 3ZA covers unauthorized acts involving computer systems that trigger, or create a major danger of, critical injury, the place the offender intends to trigger that injury or is reckless as as to if it happens.
Flowers and Jubair pleaded responsible on the idea that their actions have been reckless.
The one earlier 3ZA conviction got here final yr and concerned a former GCHQ intern who was jailed for six years following a nationwide safety investigation. The NCA stated there have been no parallels between this case and the TfL assault.
Deputy Director Paul Foster, head of the NCA’s Nationwide Cyber Crime Unit, stated: “That is the biggest cybercrime prosecution ever introduced earlier than the UK courts and the fruits of almost two years of painstaking work by the NCA, CPS, and our policing companions.
“Scattered Spider has been probably the most important cybercrime menace to the UK lately. By way of this investigation, we’ve severely disrupted that menace and introduced key offenders to justice.
“The assault on Transport for London brought on important monetary hurt and disruption to a significant a part of the UK’s essential infrastructure. These convictions would doubtless not have been doable had Transport for London not engaged with legislation enforcement early, so I’d urge another group to please do the identical in such circumstances.
“We are going to proceed working with companions within the UK and abroad to determine offenders and produce them to justice.”
Andy Lord, London’s Transport Commissioner, stated: “We welcome the information that two folks charged in relation to the cyber incident which impacted our operations in 2024 have now been sentenced.
“The safety of our programs and buyer knowledge is extraordinarily vital to us, and we regularly monitor our programs to make sure solely these authorised can acquire entry and proceed to take the required actions to guard TfL.”
How TfL assault unfolded
Scattered Spider members are identified for his or her phishing, voice phishing (“vishing”), and social engineering techniques to achieve footholds in goal networks, and TfL was no totally different.
Flowers and Jubair bought partial TfL credentials from “well-known prison boards” and used these to reset the 2FA on worker accounts, a course of that took a number of makes an attempt.
Woolwich Crown Court docket heard that the pair impersonated an worker and socially engineered a TfL helpdesk employee into resetting the password for his or her account.
The pair gained entry to TfL’s community on August 31, 2024, and held on to that entry till September 3. Throughout this time, they labored to raise their privileges and acquire entry to key inside programs, together with databases containing info on what was initially considered solely round 5,000 folks.
It wasn’t till earlier this yr that it grew to become identified that Scattered Spider truly gained access to around 7 million users’ data.
The assault had minimal disruption to the transport community in actual phrases, though the supply of a number of providers suffered, reminiscent of account logins, buyer portals, and third-party apps reliant on TfL knowledge.
TfL was not in a position to problem photograph journey playing cards to Londoners till December 4, 2024. A restricted variety of ticket machines additionally malfunctioned on account of the assault, and vacationers paying by contactless card have been unable to view their journey histories on-line.
All the group’s staff, round 28,000 of them, a substantial proportion of whom have been allowed to work remotely, have been summoned to TfL’s workplaces to reset their passwords due to uncertainties round whether or not the attackers have been nonetheless within the community.
Though prepare and bus providers weren’t affected, the prices related to remediating the assault climbed to £29 million ($39 million).
A number of complexities
The NCA stated the investigation that led to right this moment’s sentencing was maybe much more sophisticated than Operation Chronos, which crippled the once-dominant LockBit ransomware group.
Bringing Flowers and Jubair to justice concerned delicate administration, owing to their ages, backgrounds, and neurodiversity.

Flowers, for instance, was identified to UK legislation enforcement previous to the TfL assault, and investigating officers suspected his involvement from the outset, though he couldn’t be named till September final yr resulting from his age.
{The teenager} was initially arrested on suspicion of his involvement within the TfL assault on September 6, 2024, at his three-bedroom house in Walsall, the place he lived together with his maternal grandmother and uncle.
Officers say Flowers spent most of his time at house in his bed room enjoying pc video games and utilizing chat boards, and was primarily motivated by gaining notoriety amongst cybercrime circles.
He was charged and later launched on bail circumstances, which he breached twice in October 2024 and once more in Might 2025 after being handed a warning two months earlier.
Earlier than TfL, Flowers had dedicated lower-level pc offenses. He was visited by police in October 2023 and handed a cease-and-desist order, which officers hoped would deter the then-16-year-old from reoffending.
Flowers was additionally supplied coaching and given recommendation round CMA offences however officers say he didn’t need to have interaction in any of this.
Between then and the TfL assault a yr later, Flowers continued to commit offenses of accelerating severity.
The NCA’s Foster stated the proposed Cyber Crime Danger Orders, introduced in the latest King’s Speech, might have enabled officers to arrest Flowers sooner and impose restrictions that might have higher prevented doable reoffending.
Present powers, reminiscent of critical crime prevention orders, can’t be utilized to offenders underneath the age of 18, and a few CMA offenses don’t meet the standards for critical crime, leaving a spot within the police’s means to handle the danger of reoffending.
“The proposed cybercrime danger orders would supply legislation enforcement with a proportionate preventative instrument, comparable in precept to sexual danger orders to impose circumstances that assist to guard the general public and companies while an investigation continues,” stated Foster.
“These circumstances can be actively monitored, and any breach might end in prison sanctions, together with imprisonment, and that is no matter whether or not the underlying investigation has concluded.
“And I might recommend {that a} Cyber Crime Danger Order, ought to one have been out there to us, would have allowed us to arrest Flowers sooner, probably appearing on info supplied by US or Australian companions.”
Each Flowers and Jubair have autism, and Jubair can also be identified as having melancholy and extreme temper dysfunction.
Like Flowers, Jubair was additionally beforehand identified to UK police, principally resulting from his prior conviction in 2023 associated to his involvement within the Lapsus$ crew that hacked the likes of BT/EE and Nvidia.
Throughout the proceedings, Jubair sat in courtroom alongside fellow Lapsus$ member Arion Kurtaj, who BBC’s Joe Tidy recently revealed is now awaiting trial after his indefinite hospital order ended.
Beneath the age of 18 on the time, and due to this fact unable to be named publicly, Jubair acquired an 18-month youth rehabilitation order, which included a ban on utilizing a VPN, however shortly started reoffending.
Officers pointed to Jubair’s reoffending as one other instance of why Cyber Crime Danger Orders are wanted, because the current authorized mechanisms that restrict the freedoms of criminals reminiscent of burglars and sexual predators usually are not efficient for cyber offenders.

Jubair lived in a two-bedroom condominium on the third ground of a 21-storey council block in Bow, London, together with his two Bangladeshi dad and mom, who each work as carers.
He additionally faces prices additional afield within the US, which have been unsealed in September 2025.
Appearing by way of his Scattered Spider function, between Might 2022 and September 2025, Jubair is accused of compromising 120 networks belonging to 47 US entities, together with essential nationwide infrastructure and the federal courtroom system, which resulted in additional than $115 million in ransom funds being transmitted.
Within the UK, Jubair has 22 earlier convictions in complete, together with 13 for fraud and one for blackmail. He was additionally beforehand sentenced for stalking and harassing two younger girls on-line.
His offending started when he was 14 years previous, and officers stated he had an curiosity in computer systems from an early age.
Jubair, who was first arrested in February 2021, discovered to code by age 13.
He attended college within the Bow area of London, had quite a lot of GCSE {qualifications}, and had tried to enroll in native schools.
Arrests and proof gathering
Flowers’ arrest was by far the extra important of the 2 by way of amassing proof linking the pair to the TfL assault.
NCA officers arresting Flowers additionally seized quite a lot of units, together with laptops, tower computer systems, and USB storage units. The evaluation of 1 Acer laptop computer, owned by Flowers, proved to be the pair’s undoing.
Forensic evaluation revealed that Flowers had accessed the distant infrastructure and digital machines that have been used to hold out the TfL assault.
Damningly, officers additionally discovered movies and screenshots, produced by Flowers, depicting the TfL assault in progress. Woolwich Crown Court docket heard that the pair livestreamed the 16-hour assault on-line.
They have been in a position to tie the fee used for the distant infrastructure to a cryptocurrency account discovered on Flowers’ pc and show that the laptop computer was related to this infrastructure on the time of the assault.
Additional, Flowers used the identical cryptocurrency account to pay for meals deliveries he ordered to his house deal with.
The teenager’s pc saved spreadsheets containing partial credentials for TfL staff and contained proof linking him to cyberattacks on US healthcare organizations SSM Well being Care Company and Sutter Well being.
The identical pc additionally contained artifacts linking the exercise to Jubair.
Officers stated they’d entry to sure chat logs inside which a particular moniker appeared often.
They tied this alias to Jubair as a result of it was the identical one used to debate particular flight bookings, lodge bookings, and meals deliveries, all of which might clearly be linked to the 20-year-old. And Officers discovered proof of a cloud storage account containing TfL knowledge, to which Flowers and Jubair had entry.
Units seized from Jubair revealed comparatively little, apart from that he had proven an curiosity in TfL’s programs way back to 2022. ®
Source link

