Skip to main content
Emerging Threats

UK Sentences Two Scattered Spider Hackers to 5.5 Years Over £29 Million TfL Hack

Woolwich Crown Court exterior with formal entrance and institutional architecture.
"Might kill some 90‑year‑old on life support," the Crown Prosecution Service says Owen Flowers wrote in chats that accompanied attacks he helped launch — a line prosecutors used to frame the scale and recklessness of the intrusions that brought two young men to Woolwich Crown Court.

Woolwich Crown Court: sentences and charges

On 16 July 2026 the court sentenced Owen Flowers, 18, and Thalha Jubair, 20, to five and a half years each after both pleaded guilty on 22 June 2026 to the most serious offence in the Computer Misuse Act 1990: Section 3ZA. The pair admitted recklessness as to whether they caused or created a significant risk of serious damage to human welfare, the CPS said. The CPS also says these are believed to be the first convictions under Section 3ZA; the National Crime Agency (NCA) counts the case as the second prosecution under the section, noting a distinction between prosecutions brought and convictions obtained.

Transport for London: the intrusion and immediate impact

The intrusion into Transport for London (TfL) ran from 31 August to 3 September 2024 and left 148 TfL systems inoperable, the NCA reported. TfL had to bring all 27,000 staff into an office to reset passwords in person. Essential services and customer-facing functions were disrupted: Dial‑a‑Ride went down, digital payments and concessionary travel card issuing were interrupted, Oyster photocards for young people closed to applications, contactless ticketing extensions slipped, and refunds slowed. TfL told customers names and email addresses were accessed, along with home addresses where held; Oyster refund data including bank account numbers and sort codes may have been accessed for around 5,000 people.

Evidence, linked intrusions, and alleged intent

Investigators found digital evidence linking Flowers to the remote server used to launch the TfL intrusion and two additional attacks on U.S. healthcare organisations, SSM Health Care Corporation and Sutter Health. Flowers was arrested at home on 6 September 2024, three days after the TfL intrusion ended; the NCA said officers found him mid‑attack on the two U.S. healthcare organisations. Seized devices included laptops, tower computers, hard drives and USB sticks. One laptop reportedly contained a screenshot showing network connectivity to TfL infrastructure and videos Flowers recorded of Jubair moving through TfL systems. The CPS said the pair messaged on Telegram during the intrusions and shared an online workspace.

Flowers admitted two further counts tied to the healthcare intrusions — a conspiracy against SSM Health and an attempt against Sutter Health — and prosecutors highlighted the chats in which he acknowledged that locking those systems down "might kill some 90‑year‑old on life support." The CPS says the arrests stopped those attacks.

Scattered Spider, wider activity, and disruption to the group

The NCA describes both men as leading members of Scattered Spider (also tracked as Octo Tempest, UNC3944, and 0ktapus); the CPS notes the defendants claimed membership of a group prosecutors believe carried out hundreds of attacks between 2022 and 2025. The FBI, quoted in the NCA announcement, ties the group to data extortion, SIM swapping and social engineering. The NCA called the action against Flowers and Jubair the biggest cybercrime prosecution the UK courts have seen and said the arrests effectively halted the group; Microsoft assessed that the arrests materially degraded Scattered Spider's ability to operate. The NCA qualified that other criminals may continue to use the brand.

Outside the Scattered Spider thread, the source notes parallel activity: in January Mandiant tracked an expansion of ShinyHunters‑branded extortion that used the same social‑engineering pattern — vishing to employees, victim‑branded credential harvesting to capture SSO logins and MFA codes, then enrolling the attacker's own device for MFA.

Financial scale, law enforcement posture, and stakeholder responses

The NCA and the CPS put TfL's losses and recovery costs at £29 million. The NCA also cited a hypothetical: a successful shutdown of TfL's network could have cost the UK economy up to £56 billion, a figure the CPS described as putting the potential impact "at billions" before TfL pulled its own network down to contain the intruders. In New Jersey a complaint unsealed in September 2025 accuses Jubair of computer fraud, wire fraud and money laundering conspiracies tied to roughly 120 intrusions and at least 47 U.S. victims between May 2022 and September 2025, with more than $115 million reportedly paid in ransoms; prosecutors allege he moved about $8.4 million in cryptocurrency out of a server wallet during a seizure — allegations that remain untested in court. The complaint carries a maximum across counts of 95 years.

Paul Foster, who heads the NCA's National Cyber Crime Unit, urged organisations to call law enforcement early, saying these convictions probably would not have happened if TfL had not involved police. The City of London Police used the sentencing to advocate for Cyber Crime Risk Orders — a power it does not currently have — that would let courts restrict an individual's devices, online services and technologies; Commander Ollie Shaw described the measure as a "digital prison" for offenders.

What this means for TfL customers, law enforcement, and security teams

  • TfL customers and vulnerable service users: the sentencing confirms the scale of disruption and that personal data (names, emails, some home addresses and refund banking details for ≈5,000 people) were accessed, reinforcing ongoing customer‑facing remediation and monitoring obligations.
  • Law enforcement and prosecutors: the case is being used to mark legal precedent under Section 3ZA and to argue for broader technical powers such as Cyber Crime Risk Orders; the NCA points to international cooperation in linking devices and evidence.
  • Security teams and vendors: the record cites social‑engineering techniques and a practical mitigation highlighted in Google's research — verify identity on password resets, device enrolment and MFA changes — underscoring manual verification workflows as a control to interrupt the playbook described here.

The sentences hand a prison term to two people who were 17 and 18 at the time of the 2024 attacks, and the NCA calls the prosecution a major escalation in how British courts handle large, damaging extortion campaigns. Missing from the public record is any immediate answer on extradition for the outstanding U.S. complaints; for now, the case leaves a clear line of consequence and a set of open operational questions about how criminal brands persist even after high‑profile arrests.

Source: The Hacker News