The two Scattered Spider members behind the 2024 Transport for London attack are going to prison. Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced today to five years and six months — more than eleven years combined — closing what the National Crime Agency calls the largest cybercrime prosecution ever brought before UK courts.
The sentences land almost two years after the pair spent four days inside TfL’s network — between August 31 and September 3, 2024 — in an intrusion that rendered more than 140 systems inoperable, exposed customer data including bank details of Oyster card refund applicants, and ultimately cost the capital’s transport network £29 million to remediate.
Teenagers Against a Transport Network
The ages deserve a moment: Flowers was 16 at the time of the attack, Jubair 18. That profile is Scattered Spider’s signature — the loose, English-speaking collective (overlapping with the community known as “the Com”) built its reputation on native-fluency social engineering: phoning help desks, impersonating employees, defeating MFA through fatigue and SIM swaps, then moving through networks with a speed that embarrassed mature security programs. It’s the same playbook that gutted MGM Resorts and Caesars in 2023, UK retailers in 2025, and — as we covered in our September piece on the group’s fall — made teenagers the most disruptive threat actors in the Western hemisphere.
Both men pleaded guilty on the first day of trial in June — a collapse Krebs on Security noted came only after prosecutors laid out the evidence assembled by the NCA. TfL, notably, refused to pay and rebuilt instead; the £29 million figure is what recovery-without-ransom actually costs a major public body.
The Healthcare Angle Nobody Should Skip
Buried beneath the transport headline is the detail that says the most about this crew: Flowers also admitted conspiring to attack American healthcare systems SSM Health and Sutter Health — not-for-profit hospital networks. And Jubair’s exposure doesn’t end with the UK sentence: he faces separate US charges tied to Scattered Spider’s wider campaign of intrusions and extortion.
Hospitals and public transit are the definition of civilian critical infrastructure, and this group targeted both before either member could legally rent a car. Whatever mythology attaches to teenage hackers, the target list reads like a ransomware cartel’s — because functionally, that’s what Scattered Spider became, working as an affiliate ecosystem alongside groups like ALPHV and, later, the Scattered Lapsus$ Hunters alliance whose insider-threat reach we covered in the CrowdStrike case.
What the Sentence Does — and Doesn’t — Signal
Five and a half years is a serious sentence for defendants this young in the UK system, and prosecutors clearly intended it as a message: the CPS called out the harm to millions of Londoners, and the NCA framed the case as proof that “anonymity” online is negotiable.
Deterrence against the Com demographic, though, has a mixed record. The community’s history — from Lapsus$‘s arrests in 2022 through the steady drumbeat of Scattered Spider detentions in 2024–2025 — shows takedowns disrupt cells without killing the culture; new teenagers keep discovering that a phone call beats a zero-day. What has demonstrably changed is investigative speed: Flowers was first arrested within days of the TfL attack in September 2024. The window between attack and door-knock keeps shrinking, and guilty pleas on day one of trial suggest the evidence packages have become difficult to fight.
For defenders, the operational lessons of TfL remain current, because the group’s successors still run the same play:
- Help desks are the perimeter. Identity-verification procedures for password and MFA resets defeat this crew; sympathy for a stressed “employee” on the phone feeds it.
- Watch for MFA-fatigue and SIM-swap signals on privileged accounts.
- Plan for the refusal. TfL’s £29 million recovery was painful but ransom-free — an option only organizations with tested restoration plans actually have.
Two members are in prison. The playbook isn’t.
Sources
- National Crime Agency — Two sentenced for hacking Transport for London in UK’s biggest ever cyber crime case
- Crown Prosecution Service — Cyberhackers who targeted TfL jailed for more than five years each
- Krebs on Security — Scattered Spider Hackers Plead Guilty on Day 1 of Trial
- BleepingComputer — Scattered Spider members plead guilty to hacking Transport for London


