2 British Men Plead Guilty to Transport for London Hacks
Data Breach TodayArchived Jun 23, 2026✓ Full text saved
Members of Scattered Spider Group Admit Disrupting London Underground Operator Two young Englishmen pleaded guilty to hacking London Underground operator Transport for London. The 2024 attack by the Scattered Spider cybercrime group members Thalha Jubair, 20, and Owen Flowers, 18, led to $38 million in losses and recovery costs.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cybercrime , Fraud Management & Cybercrime , Geo Focus: The United Kingdom
2 British Men Plead Guilty to Transport for London Hacks
Members of Scattered Spider Group Admit Disrupting London Underground Operator
Mathew J. Schwartz (euroinfosec) • June 23, 2026
Credit Eligible
Get Permission
Image: Shutterstock
Two Englishmen behind a 2024 hacking incident that disrupted London's transport authority's payment system pleaded guilty Monday to violating British anti-hacking law.
See Also: Why Firms Need to Invest in Security as Response Strategy
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from England's West Midlands, changed their not-guilty pleas under Britain's Computer Misuse Act on Monday, the first day they were due to stand trial at Woolwich Crown Court in London. Guilty pleas from the two men, affiliates of the Scattered Spider digital extortion gang, avoid what was set to be a six-week trial.
Jubair and Flowers mounted an attack that ran from Aug. 31, 2024, through Sept. 3, 2024, although Transport for London - which runs the London subway and bus systems - has said the hack's effects lingered for months.
The incident left the transport authority temporarily unable to process payments for the Oyster public transport payment smartcard and degraded Dial-a-Ride public transport service for wheelchair users and others with disabilities. The BBC reported in March that hackers stole data pertaining to 10 million riders (see: London Tube Riders Reporting Payment Difficulties After Hack).
Flowers also admitted to conspiring to commit unauthorized acts against American healthcare firms SSM Health Care and Sutter Health but denied two other charges, which Judge Justice Turner ordered to lie on file, reported Britain's The Guardian newspaper. That means while no verdict was reached on the two charges, they're unlikely to ever be prosecuted.
The two hackers are due to return to the court on July 15 for a two-day sentencing hearing.
Officers from Britain's National Crime Agency and City of London arrested Jubair and Flowers at their respective home addresses on Sept. 16, 2025 (see: Scattered Spider Sting: 2 English Teens Charged With Attacks).
Transport for London is the local government body that runs the day-to-day operations of the city's public transport network, including the London Underground, buses, trams, light rail and river services, and also manages London's main roads.
"The cyberattack on Transport for London had a significant and far-reaching impact, causing major disruption and affecting the day-to-day operations of essential public services," said Nik Adams, deputy commissioner of the City of London Police.
The transport authority said the attack cost it $38 million in losses and recovery costs. All 28,000 employees were required to attend the organization's office to reset their passwords.
As part of their probe into the attack, police first arrested Flowers on Sept. 6, 2024, and seized from him a number of computing and storage devices, which revealed his participation in the intrusions against SSM Health Care and Sutter Health. They also found an Acer laptop that "contained a screenshot of showing network connectivity to TfL infrastructure," evidence that he'd "accessed an online tool selling breached credentials," the NCA said.
"The laptop also contained a number of videos that Flowers had recorded, showing Jubair accessing TfL systems during the attack. The pair were messaging each other over Telegram at the same time and also communicated via an online tool where multiple participants can work remotely on a common workspace," the NCA said.
Police said Flowers "was bailed with strict conditions, which he breached on two occasions," in March and May of 2025.
Jubair was also charged under Britain's Regulation of Investigatory Powers Act with "failing to disclose the PIN or passwords for devices seized from him," the NCA said.
While the conviction of the two homegrown hackers is notable, disruptive attacks and extortion campaigns continue to be launched by homegrown and often teenage attackers. "The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cybercriminals based in the U.K. and other English-speaking countries, epitomized by Scattered Spider," Foster said (see: Scattered Spider Hacker Pleads Guilty in US Federal Court).
Security experts said many members of the loose-knit Scattered Spider collective appear to have emerged in mid-2022 from the Western cybercrime community known as the Com, largely comprised of adolescents.
Scattered Spider has been linked to attacks against British high street retailers Marks & Spencer and the Cooperative Group, as well as Jaguar Land Rover (see: Ransomware Defenses Appear to Be Holding; Challenges Loom).
Jubair also faces a U.S. complaint against him, unsealed last September in New Jersey federal court, accusing him of conspiracies to commit computer fraud, wire fraud and money laundering, tied to at least 120 hack attacks, as well as extorting 47 American entities, from mid-2022 through September 2025.
The complaint alleges victims paid at least $115,000,000 in ransom payments to Jubair - aka "EarthtoStar," "Brad," "Austin" and "@autistic" - and his associates.
If convicted of all of the U.S. charges filed against him, Jubair faces a maximum penalty of 95 years in prison.