Teen Hackers Thalha Jubair and Owen Flowers Jailed for Major TfL Cyber Attack
Two teenagers belonging to the Scattered Spider hacker collective have been jailed after live-streaming a massive cyber attack on Transport for London.
TEEN HACKERS JAILED OVER CRIPPLING TFL CYBER-ATTACK
Two young cybercriminals who launched a devastating cyber-attack that crippled Transport for London (TfL) have both been sentenced to five years and six months in prison.
Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from East London, pleaded guilty at Woolwich Crown Court to charges under Section 3ZA of the Computer Misuse Act—marking the culmination of the largest and most serious cybercrime prosecution ever brought before a United Kingdom court.
The defendants, who were both teenagers when they carried out the attack in late 2024, were identified by the National Crime Agency (NCA) as leading members of the notorious international hacking collective known as Scattered Spider.
Read more: Michael Thompson Jailed for Life for the Rape and Murder of Kimberley Thompson
The court heard that the catastrophic security breach began at 5:00 PM on Saturday, August 31, 2024, a time deliberately chosen by the hackers to maximize disruption over the weekend when TfL staffing levels were at their lowest.
Jubair and Flowers bypassed security protocols by contacting a telephone helpdesk worker, tricking them into resetting the credentials of an employee they were actively impersonating.
Once inside the system, the pair boastfully messaged each other over Telegram about accessing the database of Oyster card users, even searching the records for the personal details of London celebrities. In an act of online bravado, the teenagers filmed and live-streamed their 16-hour intrusion to other cybercriminals in their online network.
The immediate operational and financial fallout for the capital was immense. Although swift action by TfL and the NCA prevented a total shutdown of the transport network, a staggering 148 technological systems were rendered entirely inoperable.
Read more: Enfield Drill Rappers Emmanuel Popoola & Tayvon Etefia Jailed for 28 Years for Snapchat Gang Murder
To sever the hackers' access, TfL was forced to disconnect its entire infrastructure from the internet, meaning all 27,000 employees had to travel to physical offices to perform mandatory password resets in person.
Crucial public services were severely disrupted, including the Dial-a-Ride booking system utilized by vulnerable and disabled Londoners, while the processing of child photocard concessions and contactless ticketing extensions faced lengthy delays.
The prosecution established that the attack cost TfL £29 million in direct losses and system recovery, alongside an additional £10 million in lost revenue, bringing the total financial deficit to £39 million.
The court was told that had the attack succeeded in completely halting the capital's transport infrastructure, the broader estimated damage to the UK economy could have soared to £56 billion
Read more: Birmingham Mechanic Jailed for 22 Years After Gang Gunman Killed with Skorpion Submachine Gun
Furthermore, the personal data of up to 10 million customers was compromised during the breach and continues to be actively circulated within criminal forums.
Jurors and the court were presented with the troubled and highly active criminal histories of the two young men, who were described as computer-obsessed "loners" who spent their lives unsupervised online.
Flowers, who lived with his grandmother and uncle in Walsall, West Midlands, rarely left his bedroom and had previously ignored a police cease-and-desist order served to him shortly after his 16th birthday.
When investigators raided his home in September 2024, they caught him in the act of hacking two major United States healthcare providers, SSM Health Care Corporation and Sutter Health.
Bodycam footage of his arrest captured Flowers laughing as he was taken into custody. Messages recovered from his computer revealed he had jokingly suggested his attacks on the American hospital systems could "kill a 90-year-old on life support."
Though authorities seized cryptocurrency holdings worth approximately £1 million from him, prosecutors noted the defendants were driven primarily by online notoriety rather than financial gain.
His co-defendant, Jubair, had been known to police since the age of 14. An only child whose parents migrated to London from Bangladesh, he was given his first laptop at age 10 and was communicating with active cybercriminals by age 13.
He had compiled 22 previous convictions for hacking, fraud, and harassment, and had previously received a Youth Rehabilitation Order for targeting multinational firms like Nvidia and BT with the Lapsus$ cyber group.
The court heard that Jubair is also wanted by United States authorities for his alleged role in separate cyber conspiracies targeting 47 US victims, which reportedly resulted in $115 million in extorted ransom payments.
In a damning revelation of their lack of rehabilitation, the prosecution disclosed that while remanded in custody awaiting trial, both Jubair and Flowers managed to acquire contraband mobile phones in prison.
Analysis of the seized devices showed they were actively using the illicit phones to discuss and coordinate future cyber-attacks.
The defendants eventually changed their pleas to guilty on June 22, the day their trial was scheduled to begin.
In handing down the custodial sentences of five years and six months to both men, Judge Mr Justice Turner cited their youth and their respective autism spectrum diagnoses as mitigating factors.
Following the sentencing, Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, welcomed the landmark outcome, stating that the prosecution had "severely disrupted" the Scattered Spider threat.
He added, "The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK’s critical infrastructure. These convictions would likely not have been possible had Transport for London not engaged with law enforcement early."
Security Minister Dame Angela Eagle also praised the joint efforts of the NCA and the City of London Police, warning that the government is bolstering the UK's defenses against such threats.
London's Transport Commissioner, Andy Lord, expressed his gratitude to the investigative teams, reiterating that the security of TfL systems and customer data remains of paramount importance.
More Stories

Michael Thompson Jailed for Life for the Rape and Murder of Kimberley Thompson
14 July 2026 at 11:302 min read
Read More
Enfield Drill Rappers Emmanuel Popoola & Tayvon Etefia Jailed for 28 Years for Snapchat Gang Murder
10 July 2026 at 14:002 min read
Read More
Birmingham Mechanic Jailed for 22 Years After Gang Gunman Killed with Skorpion Submachine Gun
8 July 2026 at 16:003 min read
Read MoreComments (0)
No comments yet. Be the first to share your thoughts!
Leave a Comment
Your email address will not be published. Comments are moderated before appearing.

