Skip to main content
Threat IntelligenceEmerging Threats

UK Prison Sentences Target Scattered Spider Cyber Duo

Formal facade of a British court building with a government emblem.

"This is the largest cybercrime prosecution ever brought before the UK courts," said Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit.

Sentencing at Woolwich Crown Court

Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five years and six months' imprisonment after pleading guilty in June and receiving a 15 percent reduction in their sentences. Sentencing at Woolwich Crown Court, Mr Justice Turner noted the pair's immaturity while also stressing the sophistication of the offending, the scale of harm to Transport for London (TfL), the significant planning involved, and that both defendants knew the criminality of their actions. The judge recorded the one year and four months' age gap between Jubair and Flowers as a potentially significant distinction in maturity, and acknowledged both defendants' neurodiversity as he imposed what he described as the most lenient sentence that still reflected the seriousness of the offences.

The convictions mark only the second time Section 3ZA of the Computer Misuse Act 1990 has been used. That section covers unauthorised acts involving computers that cause, or create a significant risk of, serious damage where the offender intends the damage or is reckless as to whether it occurs; Flowers and Jubair pleaded guilty on the basis that their actions were reckless. The only previous 3ZA conviction involved a former GCHQ intern who was jailed for six years following a national security investigation, a case the National Crime Agency (NCA) said had no parallels with the TfL attack.

How the TfL intrusion unfolded

Members of Scattered Spider are known for phishing, voice phishing ("vishing") and social engineering, and the court heard that Flowers and Jubair followed those playbooks. The duo purchased partial TfL credentials from "well-known criminal forums" and used those to reset two-factor authentication on employee accounts after multiple attempts. They impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account.

The pair gained access to TfL's network on 31 August 2024 and kept it until 3 September 2024. During that window they elevated privileges and accessed key internal systems, including databases originally thought to contain about 5,000 people but later revealed to include around 7 million users' data. The attack caused minimal disruption to train and bus services, but several customer-facing systems were affected: account logins, customer portals and third-party apps reliant on TfL data suffered outages; photo travel cards could not be issued until 4 December 2024; a limited number of ticket machines malfunctioned; and customers using contactless payments were unable to view journey histories online. Because of uncertainty about whether attackers remained in the network, TfL summoned its entire workforce of roughly 28,000 employees to offices to reset passwords. Remediation costs reached £29 million ($39 million).

Forensics, arrests, and digital evidence

Flowers' arrest on 6 September 2024 at his three-bedroom Walsall home produced a trove of devices that proved decisive. Officers seized laptops, tower computers and USB devices; forensic analysis of an Acer laptop owned by Flowers showed he had accessed the remote infrastructure and virtual machines used in the TfL attack and contained videos and screenshots depicting the attack in progress. The court heard the pair livestreamed the 16-hour intrusion. Investigators linked the payment used for remote infrastructure to a cryptocurrency account found on Flowers' computer, tied that account to food deliveries to his home, and showed the laptop was connected to the infrastructure at the time of the attack.

Flowers' machine also stored spreadsheets of partial TfL credentials, evidence connecting him to cyberattacks on US healthcare organisations SSM Health Care Corporation and Sutter Health, and artefacts linking activity to Jubair. Investigators identified a cloud storage account containing TfL data accessible to both men. Devices seized from Jubair produced comparatively little evidential content beyond showing he had been interested in TfL systems as far back as 2022.

Profiles and prior offending

Flowers was already known to UK law enforcement before the TfL attack. Officials said he spent most of his time at home in his bedroom playing computer games and using chat forums, and was motivated largely by a desire for notoriety within cybercrime circles. He had committed lower-level computer offences, was visited by police in October 2023 and given a cease-and-desist order and offers of training that he did not engage with. He was charged and released on bail, which he breached twice in October 2024 and again in May 2025 after a prior warning.

Jubair had a longer offending pedigree: he was previously convicted in 2023 for involvement with the Lapsus$ crew and has 22 prior convictions in the UK, including 13 for fraud and one for blackmail, plus earlier sentences for stalking and harassing two young women online. Officials said his offending began when he was 14 and he learned to code by age 13. Jubair, who lives in a Bow council flat with his two Bangladeshi parents, faces separate charges in the United States unsealed in September 2025; prosecutors there allege that between May 2022 and September 2025 he compromised 120 networks belonging to 47 US entities, including critical national infrastructure and the federal court system, and that more than $115 million in ransom payments were transmitted.

What this means for Transport for London, the NCA, and policymakers

  • Transport for London: Andy Lord, London's Transport Commissioner, said TfL "welcome[s] the news" of the sentences and reasserted that the security of systems and customer data "is extremely important to us" and that TfL continually monitors systems to protect access.
  • Law enforcement (NCA): Deputy Director Paul Foster described the outcome as the culmination of nearly two years of painstaking work by the NCA, Crown Prosecution Service and policing partners, saying the investigation has "severely disrupted" the Scattered Spider threat and that the agency will continue working with partners in the UK and overseas to identify offenders and bring them to justice.
  • Policymakers: Foster argued that proposed Cyber Crime Risk Orders announced in the most recent King's Speech could have allowed earlier action against Flowers and others, noting existing powers such as serious crime prevention orders cannot be applied to offenders under 18 and that some CMA offences do not meet criteria for serious crime — a gap he said the proposed orders would address by allowing conditions to be imposed and actively monitored even while investigations continue.

The sentences close what the NCA called the biggest cybercrime prosecution in UK history and underscore the practical and legal complexities of policing young, skilled offenders with neurodiverse profiles. The NCA's stated next steps are straightforward: continue joint investigations domestically and overseas to identify and prosecute further offenders.

Original story at The Register