Teenagers Plead Not Guilty in £39M Transport for London Cyber Attack as Trial Date Set for June 2026

Breaking: Suspected Scattered Spider members deny all charges in devastating TfL breach that paralyzed London's transport infrastructure

In a significant development in one of the UK's most high-profile cybercrime cases, two teenagers accused of orchestrating the devastating Transport for London (TfL) cyber attack have formally pleaded not guilty to all charges. Thalha Jubair, 19, and Owen Flowers, 18, appeared at Southwark Crown Court on Friday, November 21, 2025, entering not guilty pleas to charges stemming from the attack that cost TfL an estimated £39 million and brought London's digital transport infrastructure to its knees for three months.

The court appearance marks the next chapter in a case that has captured international attention, highlighting the growing threat posed by young, English-speaking cybercriminals operating as part of the notorious Scattered Spider hacking collective.

Trial Date Set for Summer 2026

Judge Christopher Hehir announced that a trial date has been scheduled for June 8, 2026, with both defendants required to appear at Southwark Crown Court on February 13, 2026, for a pre-trial review. The lengthy timeline reflects the complexity of the case and the volume of digital evidence that prosecutors must present.

Both defendants stood in the dock together at Southwark Crown Court, speaking only to confirm their names and enter their not guilty pleas to all charges. The charges include conspiracy to commit unauthorized acts against Transport for London under the Computer Misuse Act, with prosecutors alleging the defendants caused "or creating a significant risk of, serious damage to human welfare and intending to cause such damage or being reckless as to whether such damage was caused."

The Scale of the Attack

The cyber attack, which TfL first identified on September 1, 2024, represents one of the most damaging breaches of critical national infrastructure in UK history. The attack resulted in:

• £39 million in damage and recovery costs (updated from initial estimates of £30 million)
• Compromise of 5,000 customers' banking details, including account numbers and sort codes
• Three months of digital infrastructure paralysis
• 25,000 staff forced to report to offices for manual identity verification
• Oyster card systems offline until December 4, 2024
• Significant disruption to "Dial-A-Ride" services for disabled passengers
• Loss of livelihood for people dependent on TfL licenses

According to prosecutors at Westminster Magistrates' Court in September, the alleged attack posed a "significant risk" to the UK economy and London residents. The breach specifically targeted customer data, accessing names, contact information, and Oyster card refund data including bank details.

Additional Charges and International Implications

The case extends far beyond the TfL attack. Flowers, from Walsall in the West Midlands, faces additional charges for allegedly targeting two major US healthcare firms: SSM Health Care Corporation and Sutter Health. These charges highlight the international scope of the defendants' alleged activities.

Jubair, from Tower Hamlets in East London, faces an additional charge under the Regulation of Investigatory Powers Act (RIPA) for refusing to hand over PINs and passwords for his devices when requested by authorities in March 2025.

More significantly, the US Department of Justice has also charged Jubair with conspiracy to commit computer fraud, money laundering, and wire fraud. These charges relate to at least 120 incidents of network breaches between May 2022 and September 2025, affecting at least 47 US organizations. According to court documents, victims have paid Jubair and his accomplices over $115 million in ransom payments—though Jubair has pleaded not guilty to these charges as well.

The Scattered Spider Connection

The National Crime Agency (NCA) has stated that investigators believe the TfL cyber attack was carried out by the criminal hacking collective known as Scattered Spider (also tracked as UNC3944, Octo Tempest, and 0ktapus). This group has been linked to numerous other high-profile breaches, including attacks on:

• Jaguar Land Rover - Production halted for three weeks
• Marks & Spencer - £700 million wiped off market value
• Co-op Group - Severe availability issues
• Harrods - Attempted unauthorized access
• MGM Resorts and Caesars Entertainment - Over $100 million in combined losses

As we previously reported in our comprehensive coverage, Scattered Spider represents a new breed of cybercriminal organization—unlike traditional ransomware groups dominated by Eastern European actors, this collective consists primarily of English-speaking teenagers and young adults from the United States and United Kingdom.

Sophisticated Social Engineering Tactics

What makes Scattered Spider particularly dangerous is their mastery of social engineering rather than purely technical exploits. The group has become notorious for:

• Phone-based vishing attacks that exploit native English fluency
• Impersonating IT staff to convince help desk personnel to reset credentials
• MFA bombing and SIM swapping techniques
• Joining incident response calls to monitor security teams' activities
• Searching victim communications for security discussions

Paul Foster, head of the NCA's National Cyber Crime Unit, emphasized the significance of the case: "This attack caused significant disruption and millions in losses to TfL, part of the UK's critical national infrastructure. Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example."

Wider Law Enforcement Crackdown

The arrests of Jubair and Flowers in September 2025 represent just one piece of an unprecedented global crackdown on Scattered Spider operations. Recent law enforcement actions include:

• Tyler Buchanan - Alleged ringleader arrested in Palma de Mallorca with $27 million in Bitcoin
• Noah Urban - First Scattered Spider member sentenced to 10 years in federal prison
• Four UK arrests - Connected to the £440 million retail attacks on M&S, Co-op, and Harrods
• Las Vegas juvenile surrender - Latest member to face charges related to casino attacks

TfL's Response and Recovery

Transport for London has been praised by law enforcement for its swift action in reporting the breach and cooperating with investigators. The organization implemented multiple security measures following the attack, including:

• All-staff IT identity checks requiring in-person verification
• Enhanced authentication procedures
• System-wide security reviews
• Ongoing collaboration with the National Cyber Security Centre

TfL has stated that it continues to work closely with the NCA and the National Cyber Security Centre to investigate the incident. The transport operator has also reported the data breach to the Information Commissioner's Office as required under data protection regulations.

What This Means for Critical Infrastructure Security

The TfL attack represents a watershed moment for critical infrastructure cybersecurity in the UK. The case highlights several crucial vulnerabilities:

1. Human Factor Remains Primary Attack Vector - Despite sophisticated technical defenses, social engineering continues to be the most effective breach method
2. Young, Native English Speakers Pose Unique Threat - Traditional threat models focused on foreign state actors miss the growing danger from domestic cybercriminals
3. Critical Infrastructure Highly Vulnerable - Essential services remain attractive targets with cascading real-world consequences
4. Recovery Costs Exceed Initial Estimates - The true financial impact of cyber attacks often emerges months after the initial breach

Looking Ahead to Trial

With the trial scheduled for June 8, 2026, the prosecution will need to present comprehensive evidence linking Jubair and Flowers to the TfL attack. Digital forensics will play a crucial role, with investigators analyzing seized electronic devices, network logs, and communications records.

The case will likely set important precedents for how the UK prosecutes cybercrime targeting critical national infrastructure. Given the international dimensions—particularly the US charges against Jubair—extradition proceedings may follow regardless of the UK trial's outcome.

For cybersecurity professionals, the trial will provide valuable insights into Scattered Spider's tactics, techniques, and procedures (TTPs), potentially informing defensive strategies across multiple sectors.

The Broader Scattered Spider Campaign

As we've extensively documented, Scattered Spider's activities have expanded dramatically through 2024 and 2025. The group has demonstrated an evolving targeting strategy, moving from telecommunications companies to casinos, then to UK retail giants, and most recently to the insurance sector and aviation industry.

The Cyber Monitoring Centre has classified many of these attacks as part of a "single combined cyber event" with total losses estimated between £270-440 million ($363-592 million) across the UK retail sector alone.

Security Recommendations

In light of the TfL attack and the broader Scattered Spider campaign, organizations should implement:

• Phishing-resistant MFA using hardware-based authentication like FIDO2 security keys
• Enhanced help desk procedures requiring callback verification and managerial approval for sensitive actions
• Continuous security awareness training emphasizing social engineering recognition
• Privileged access management with strict controls on administrative accounts
• Real-time monitoring of identity and access management systems
• Incident response planning that accounts for adaptive adversaries

Conclusion

As Jubair and Flowers await their June 2026 trial, the cybersecurity community continues to grapple with the implications of teenage hackers capable of bringing critical national infrastructure to its knees. The not guilty pleas ensure that the case will proceed to a full trial, providing an opportunity for prosecutors to present evidence and for the defense to challenge the allegations.

The outcome of this case will resonate far beyond London's transport network. It represents a critical test of the UK's ability to prosecute sophisticated cybercrime and protect essential services from increasingly bold attacks by young, technically proficient criminals operating from within its own borders.

For millions of Londoners who depend on TfL daily, and for organizations worldwide managing critical infrastructure, the stakes couldn't be higher.

For comprehensive coverage of the Scattered Spider threat landscape, read our previous in-depth reports:

• Two Teenagers Charged in £39M Transport for London Cyber Attack
• The Fall of Scattered Spider: Teen Charged in $100M Las Vegas Casino Heist
• Major Breakthrough: Four Arrested in £440M Cyber Attacks on UK Retail Giants
• Scattered Spider Pivots to Insurance Sector
• Aviation Under Siege: The 2025 Airline and Airport Cyberattack Crisis

This developing story will be updated as more information becomes available from court proceedings.