Two young men accused of being key operators inside the cybercrime group Scattered Spider pleaded guilty in a London court this week to charges arising from the August 2024 cyberattack that brought large parts of Transport for London (TfL) to its knees. Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall in the West Midlands, both changed their pleas on the first day of what had been scheduled as a multi-week trial, abruptly ending a prosecution that the National Crime Agency had been building for nearly two years.
The collapse of the defense on day one is a significant win for UK law enforcement and a milestone in the global crackdown on one of the most disruptive English-speaking hacking collectives of the decade. Both men are now slated to be sentenced at a London court on July 15, 2026.
A Day-One Reversal
Jubair and Flowers had each previously pleaded not guilty in November 2025, and a trial date was set for June 2026. The expectation was a contested, weeks-long proceeding. Instead, when the case was called, both defendants admitted the charges against them — a reversal that spares prosecutors a drawn-out fight and effectively confirms the central allegation: that two members of Scattered Spider reached into the digital infrastructure of London’s transport authority and caused tens of millions of pounds in damage.
This is a thread breached.company has followed from the start. The two were first charged in September 2025 in connection with the £39m Transport for London cyberattack, and then pleaded not guilty in November 2025 as the June 2026 trial date was set. The guilty pleas this week close the loop on that timeline.
What Happened to Transport for London
The attack itself unfolded across late August and early September 2024. Between roughly August 31 and September 3, 2024, intruders breached TfL’s network and triggered a cascading operational crisis that the agency spent months untangling.
The disruption was severe and highly visible. TfL was forced to take systems offline, and the fallout reached deep into its workforce: all of the authority’s tens of thousands of staff were required to attend in-person identity checks to reset their passwords and credentials, a manual remediation effort of extraordinary scale. Customer-facing services were degraded for weeks. Refund systems, Oyster photocard services, and online account functions were knocked out or curtailed, and TfL confirmed that some customer data — including names, contact details, and in certain cases bank account information tied to refunds — had been exposed.
The financial toll was steep. The incident has been pegged at roughly £39 million in impact, a figure that captures the remediation, the lost services, and the sprawling cleanup that followed. For a public transport body that moves millions of people daily, the attack was a stark demonstration of how a credential-driven intrusion can ripple far beyond the IT department and into the daily lives of an entire city.
The Scattered Spider Connection
Jubair and Flowers are described by investigators as members of Scattered Spider — the loose, financially motivated collective also tracked under names like Scattered Lapsus$ Hunters and, more broadly, “the Com,” the sprawling online subculture from which many of its members are drawn. The group built its reputation not on novel malware but on social engineering: phishing, SIM swapping, help-desk impersonation, and the patient theft of credentials that let attackers walk through the front door of major organizations.
Evidence in the TfL case fit that profile. Investigators recovered material tying the defendants directly to the intrusion, including a laptop bearing a screenshot of connections into TfL infrastructure and signs that one of the men had accessed an online marketplace trafficking in stolen credentials. According to the NCA, the pair coordinated over Telegram and worked through a shared online workspace as the attack played out — the kind of informal, chat-driven collaboration that has become a signature of Com-affiliated operations.
Jubair, in particular, has surfaced beyond the UK case. US reporting has linked him to broader Scattered Spider activity, underscoring how the same individuals tend to recur across multiple campaigns and jurisdictions as investigators piece together the group’s membership.
Part of a Tightening Dragnet
These guilty pleas do not stand alone. They land amid a sustained, cross-border law enforcement push against Scattered Spider that has been steadily converting alleged members into defendants and convicts.
In April 2026, Scattered Spider member Tyler Buchanan pleaded guilty in a US federal court to wire fraud conspiracy and aggravated identity theft, facing up to 22 years. Before him, Noah Urban became the first Scattered Spider member sentenced, receiving 10 years and a $13 million restitution order. The arrests have spanned continents, from the US to the UK to a recent arrest in Finland.
And yet the group’s operational tempo has not stopped. Even as members are picked off, the collective — or those operating under its banner — has continued to evolve, with breached.company documenting how Scattered Spider pivoted to the insurance sector with the Aflac breach, signaling a new wave of attacks against a fresh class of targets. The pattern is consistent: as fast as law enforcement closes cases, the techniques migrate to the next set of victims.
What the Pleas Mean
For TfL, the guilty pleas bring a measure of closure to an incident that disrupted a major piece of national infrastructure and forced an entire workforce through manual identity verification. For prosecutors, securing admissions from two alleged core members — rather than gambling on a jury — is a clean and decisive outcome.
The broader signal is the one that matters most to defenders. Scattered Spider’s success was never about technical sophistication; it was about exploiting people, processes, and the soft edges of identity and access management. The convictions reinforce that the group’s members are young, reachable, and increasingly being held to account — but they do nothing to retire the playbook itself. Every organization that relies on help-desk password resets, third-party support, and trust-based identity verification remains a candidate target.
Sentencing on July 15, 2026 will set the price these two defendants pay. The harder question — how to harden the human layer that Scattered Spider has spent years exploiting — remains open for everyone else.
