In a significant legal development, two British teenagers, Thalha Jubair and Owen Flowers, have pleaded guilty to hacking Transport for London (TfL) in 2024. The investigation into their actions has been conducted by the National Crime Agency (NCA), which has detailed the extensive impact of the cyber intrusion.
Thalha Jubair, a 20-year-old from East London, and 18-year-old Owen Flowers from Walsall in the West Midlands were underage at the time of the offense, which occurred between August 31 and September 3, 2024. Both individuals are allegedly associated with the notorious hacking collective known as Scattered Spider. This group has drawn attention for its involvement in various cybercrimes, marking a troubling trend in youth involvement in sophisticated cyber attacks.
The ramifications of their actions were wide-reaching, costing TfL an estimated £29 million (approximately $38 million) in loss and recovery efforts. According to the NCA, the hack severely disrupted TfL’s services, affecting everything from the customer refund system to the application processes for Oyster photocards designated for children and young people. Additionally, the breach necessitated that all 28,000 employees of TfL physically attend an office for mandatory password resets, illustrating the scale of the disruption caused.
Flowers was arrested shortly after the hacking incident, on September 6, 2024. During the investigation, officers uncovered considerable evidence linking him to not only the TfL breach but also violations involving U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health. Notably, investigators seized an Acer laptop from Flowers that contained crucial evidence, such as a screenshot showing direct network connectivity to TfL systems. This device also revealed that he had accessed a marketplace for selling breached credentials, heightening the severity of his crimes.
Compelling evidence against Jubair emerged through messages exchanged via Telegram and another communication platform, indicating active collaboration between the two men. On Flowers’ laptop, investigators also found a video explicitly showcasing Jubair accessing TfL’s systems. This video serves as critical proof of their combined efforts in orchestrating the cyber attack.
Further complicating Jubair’s legal situation are unsealed charges from September 2025, which allege his involvement in at least 120 different cyber intrusions and extortion incidents that targetted 47 separate entities in the United States. The accusation suggests that these victims collectively paid out more than $115 million in ransom, indicating the scale and professionalism of their operations.
On June 22, at Woolwich Crown Court, both Jubair and Flowers entered their guilty pleas. They are set to receive their sentencing on July 16, a development that many observers will watch closely, considering the implications for both defendants and the larger conversation around cybercrime involving younger individuals.
Paul Foster, the deputy director and head of the NCA’s National Cyber Crime Unit, described the investigation as “lengthy, highly complex, and painstaking.” He noted that the thoroughness of the NCA’s team and their partner organizations forced Jubair and Flowers to confront the reality of their actions and ultimately take responsibility for their criminal behavior.
Foster emphasized the tangible consequences of cybercrime, stating that while such offenses may seem abstract, they have real-world impacts on public systems and infrastructure. He noted the increasing threat posed by homegrown cybercriminals, particularly those associated with groups like Scattered Spider. This loose coalition of English-speaking hackers has been implicated in several high-profile extortion cases, including incidents involving major corporations such as MGM Resorts International, Snowflake, and most recently, Marks & Spencer and Co-op Group.
As the judicial process unfolds, this case underlines the urgency for enhanced cybersecurity measures and the need to address the motivations behind youth engagement in cybercrime. With both Jubair and Flowers set to face their sentences, their case not only highlights the individual actions of these teens but also serves as a critical reminder of the broader issues facing digital security in an increasingly interconnected world.