Emerging ThreatsData Breaches

Scattered Spider hackers plead guilty to TfL cyberattack

Analyst 207||Source: BleepingComputer
Two young people in hoodies stand on a dimly lit city transit platform at night with scattered papers and a laptop nearby.

“The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers.” — NCA’s Deputy Director Paul Foster

Scope and timeline of the TfL intrusion

Two members of the cybercrime group known as "Scattered Spider" — 20‑year‑old Thalha Jubair and 18‑year‑old Owen Flowers — have pleaded guilty to breaching Transport for London (TfL) systems during a multi‑day intrusion that began on August 31 and continued through September 3, 2024. TfL recorded a cybersecurity incident on September 2, 2024; operational disruptions persisted for days afterward. On September 12, 2024, TfL acknowledged that customer data had been stolen. The National Crime Agency (NCA) said the attack forced all 28,000 TfL employees to attend local offices to reset passwords and caused £29 million in financial damage to the organisation.

Operational impact on customers and services

The attackers accessed data from TfL’s Oyster refunds system and disrupted customer refund services, delaying refunds for some users. The NCA characterised the incident as causing "millions of pounds in losses" and a "significant inconvenience for customers." Those operational effects were publicly acknowledged by TfL on September 12, 2024, when the organisation confirmed customer data had been taken in the attack.

Evidence seized and attacker communications

Investigators who arrested Jubair and Flowers on September 18, 2025, reported seizing multiple devices from Flowers’ home. Among the items the NCA cites were a laptop containing a screenshot that showed connectivity to TfL infrastructure, records of access to an online marketplace selling stolen credentials, and videos that allegedly show Jubair breaching TfL systems. The NCA also stated the intruders communicated during the operation via Telegram and a shared online collaboration platform.

Legal proceedings at Woolwich Crown Court

Jubair and Flowers initially declined to be linked to the incident but changed their pleas to guilty on the first day of proceedings at Woolwich Crown Court. The duo had been scheduled to stand trial on June 22, 2026; however, the sentencing was rescheduled for July 16 after the defendants entered guilty pleas. The NCA announced the arrest of Flowers as a suspect on September 12, 2024; both individuals were arrested a year later on September 18, 2025, after investigators said they recovered incriminating evidence. The NCA also reported that Flowers breached his bail conditions twice, in March and May 2025.

How TfL employees, customers, and security teams are affected

  • TfL employees: The NCA described an immediate operational response that required all 28,000 employees to visit local offices to reset passwords — a measure the agency cited as necessary to contain and remediate the intrusion.
  • Customers and refund claimants: People using TfL services experienced delayed refunds after attackers accessed the Oyster refunds system, and TfL confirmed that customer data was stolen in the incident.
  • Security teams and investigators: The evidence seized — a screenshot of infrastructure connectivity, links to credential marketplaces, video evidence of system breaches, and use of Telegram and collaboration platforms — underscores the range of forensic leads followed by investigators and the kinds of artefacts security teams will need to examine in similar incidents.

The NCA framed the case as an example of how early engagement between victims and law enforcement can be decisive; Deputy Director Paul Foster explicitly urged other organisations to "please do the same" in such circumstances. Flowers has also been linked by authorities to intrusions at two U.S. healthcare organisations, SSM Health Care Corporation and Sutter Health, and investigators said the incriminating evidence recovered extended beyond the TfL attack. With sentencing now set for July 16, the case will resolve questions about punishment and may clarify the scope of activities attributed to the two admitted participants.

Source: BleepingComputer — Scattered Spider members plead guilty to hacking Transport for London

Critical InfrastructureCybercrimeEmerging ThreatsNation-StateNational SecurityRansomwareScattered SpiderUkTransport For London
Related Intelligence

Continue Reading

A cluttered workstation with a laptop, programming books, and notes in a well-lit office setting.

Malicious npm Package Exploits Supply Chain with Multi-Stage Windows RAT

Beware of sneaky impostors in your build dependencies - a recent discovery by JFrog revealed a malicious npm package masquerading as a popular JavaScript tool, hiding a multi-stage Windows remote access trojan. Treat similar-sounding package names with caution, as they could be potential delivery mechanisms for threats.

Analyst 207
Worker's desk with desktop computer, papers, and blurred screen in bright office setting.

LastPass Breach Exposes Customer Data in Supply Chain Hack

LastPass recently discovered a security incident at Klue, a third-party platform they use, which led to an unauthorized actor accessing some customer data through its Salesforce environment. Fortunately, customer vaults and core products remain secure, and swift action has been taken to mitigate the breach.

Analyst 207
Fake pre-order website on a computer screen in a dimly lit room with cityscape view.

Scammers Exploit GTA 6 Hype with Fake Pre-Order Sites

Don't fall for fake GTA 6 pre-order sites promising early access - any unofficial offer is likely a scam, and Rockstar Games will only announce legitimate pre-orders through official channels. Scammers are using professional-looking sites to trick victims into paying hundreds of dollars in cryptocurrency for a fake VIP experience.

Analyst 207
People work in a modern lab with a futuristic robotic arm in the foreground.

Agentic AI Reshapes Offensive Operations

Meet the "script kiddie as a service" era, where AI has erased the old skill barrier, allowing attackers with just intent and access to capable tools to launch sophisticated, autonomous attacks. Agentic AI has made it possible for previously unskilled actors to plan and execute campaigns without needing to pull the trigger themselves.

Analyst 207