“This is the largest cybercrime prosecution ever brought before the U.K. courts and the culmination of nearly two years of painstaking work,” Paul Foster, head of the National Crime Center’s National Cybercrime Unit, said in a statement.
Sentences, arrests and pleas
Two young men were sentenced to 66 months in jail for a 2024 cyberattack that brought Transport for London’s network operations to a standstill, the United Kingdom’s National Crime Agency announced. Thalha Jubair and Owen Flowers were arrested at their homes in September 2025 and pleaded guilty "last month just as their trials were set to begin," according to the announcement. Flowers had previously been arrested in connection with the attack in September 2024 but was released after questioning, the agency said.
Roles in Scattered Spider and related collectives
Both men were described by researchers as leading members and highly involved in Scattered Spider, a nebulous hacker subset of The Com. Jubair was also identified as a prolific cybercriminal and a core member of the unbound collective. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told CyberScoop that at the time of Jubair’s arrest “he was one of the four principal people that we associated with Scattered Spider,” and “one of the two most core players.”
Financial trail and U.S. allegations linked to Jubair
U.S. authorities last year accused Jubair of direct, prominent involvement in at least 120 cyberattacks, including extortion of 47 U.S.-based organizations and the January 2025 attack on the federal court system, according to the reporting. Officials said they traced a combined total of at least $89.5 million in cryptocurrency, at the time of payments, to Bitcoin addresses and servers controlled by Jubair. An unsealed criminal complaint alleges two financial services firms paid Jubair $25 million and $36.2 million, respectively, in Bitcoin between June and November 2023.
Techniques used, victims and operational reach
UK authorities and U.S. officials have highlighted a pattern of social-engineering tactics and data extortion associated with Scattered Spider. The FBI assistant director of the Cyber Division, Brett Leatherman, said Thursday the arrests “represent a significant step in holding accountable two members of Scattered Spider, a group that has repeatedly relied on data extortion, SIM-swap attacks, and other social engineering techniques to infiltrate networks and undermine critical services.”
When Owens, now 18, was first arrested for the Transport for London attack in 2024, investigators said he was “in the process of hacking the systems of U.S. health care companies SSM Health Care Corporation and Sutter Health, which had been infiltrated and damaged.” Officials also said Jubair and Owens failed to cooperate after their arrests.
Law enforcement posture and divergent assessments
U.K. officials framed the convictions and sentences as a major disruption. Paul Foster called the prosecution the largest cybercrime case ever in U.K. courts and said the investigation “severely disrupted” the threat. U.K. authorities further asserted the arrests and punishment “effectively halted the group’s criminal activity,” the National Crime Agency said.
At the same time, both the FBI and independent researchers signaled continued concern. The FBI noted in a LinkedIn post that members of Scattered Spider “continue to victimize organizations around the world and cause significant financial and operational harm.” Allison Nixon, chief research officer at Unit 221B, said Jubair and Owens had “significant resources and support,” and that “victim payments were reinvested back into the enterprise.” Nixon described the 66-month sentences as “remarkably lenient considering the period of continuous reoffending lasted longer than the sentence,” and said she hopes the United States will eventually extradite the pair to face additional charges.
What this means for U.K. authorities, the FBI, and victims
- U.K. authorities: The National Crime Agency and the National Cybercrime Unit are treating the convictions as a major legal and operational win, characterizing the case as a severe disruption to Scattered Spider.
- The FBI and U.S. prosecutors: The FBI has publicly warned that Scattered Spider-affiliated actors keep victimizing organizations worldwide and has signaled interest in continued accountability, including through cross-border action and potential extradition.
- Targeted organizations: Transport for London and named U.S. health care companies figure in the public account of impact; the record presented by investigators emphasizes continued risk from social-engineering and extortion tactics even after high-profile arrests.
The 66-month sentences close a major chapter in a case UK authorities called unprecedented in scale, yet the record presented by law enforcement and independent researchers leaves a clear tension: officials say the core group's activity was halted, while others note the Scattered Spider name and its techniques persist in ongoing attacks. Whether these convictions mark a durable break in the group's capabilities or a pause that competitors and copycats will exploit is the central uncertainty left by the case.




