Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’
Around 10 million people are believed to have been affected by the TfL cyber attack
Ross Kelly
Two young men have pleaded guilty to offenses under the Computer Misuse Act following a cyber attack on Transport for London (TfL) that caused months of disruption and millions in damages.
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested following raids by the National Crime Agency (NCA) and City of London Police in September 2025.
The duo are alleged members of the notorious Scattered Spider cyber crime collective, believed to be responsible for a string of attacks in recent years. The group claimed responsibility for attacks on UK retailers Marks & Spencer and the Cooperative Group, as well as MGM Resorts in the United States.
“The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider," said Paul Foster, deputy director of the National Crime Agency and head of the NCA National Cyber Crime Unit.
Flowers was first arrested in September 2024, at which point NCA officers found evidence that the networks of US healthcare companies SSM Health Care Corporation and Sutter Health had also been infiltrated and damaged.
Investigators found a number of devices at Flowers' home, including laptops, tower computers, hard drives, and USB sticks. One Acer laptop contained a screenshot showing network connectivity to TfL infrastructure.
Flowers had also accessed an online platform selling credentials compromised in previous cyber attacks and data breaches.
Notably, the laptop contained a number of videos that Flowers had recorded, which showed Jubair accessing TfL systems during the attack. At the same time, the pair were messaging each other over Telegram, as well as communicating via an online work collaboration tool.
What happened with the TfL cyber attack?
TfL’s network was infiltrated at the beginning of September 2024, forcing all 28,000 employees to attend a TfL office for a password reset. The cyber attack caused widespread disruption for the rail operator.
Data from TfL’s Oyster refunds system was accessed while its customer refund system was also affected. Elsewhere, the attack shut down the Oyster photocard application system for children and young people.
Around 10 million people are believed to have been affected by the attack, making it one of the UK’s most devastating cyber attacks to date.
Jubair and Flowers are due to be sentenced at Woolwich Crown Court on 16 July.
A lengthy investigation
Foster said the trial is the culmination of a “lengthy, highly complex and painstaking investigation” and hailed law enforcement colleagues for their role in apprehending the duo.
“The perseverance and meticulousness of our officers, and the work of our partner organizations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending," he commented.
“Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public. The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers."
The NCA is urging victims of cyber crime to use the government’s Cyber Incident Signposting Site for direction on which agencies they should report incidents to.
“Today’s result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances," said Foster.
The rise of youth hackers
Upon their arrest in September 2025, Jubair and Flowers were both teenagers, prompting concerns about a potential wave of youth-related cyber crime. As ITPro reported at the time, cybersecurity experts described the incident as a “wake up call” for law enforcement, educators, and society at large.
Anna Chung, principal researcher for EMEA at Palo Alto Networks, said these incidents highlight a failure to “properly engage a generation growing up in a digital-first world”.
“Young people don’t usually turn to online mischief out of malice - it’s often down to a mixture of boredom, technical skills, and a lack of boundaries,” she told ITPro at the time.
So what’s the solution? Chung urged schools and parents to make a concerted effort toward teaching digital ethics, making this a “part of core education”. This, she noted, could be crucial to preventing future incidents.
Chung’s warning over teen hackers is by no means the first, or likely last, that we’ll hear about in coming years.
Indeed, the UK’s Information Commissioner’s Office (ICO) published a report last year which highlighted a spate of cybersecurity incidents at schools across the country, with students bypassing network security controls and gaining access to management systems.
Nipping these types of activities in the bud are crucial, the ICO warned, largely as they have the potential to evolve into more nefarious activities.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Why is Windows 11 so disliked by programmers – and can Microsoft do anything to change things?Windows isn't the most useful OS in the eyes of developers, with programmers preferring macOS or Linux. But is its bad reputation uncalled for?
-
Why MSSPs need to focus on reducing cyber risk, not adding complexityIndustry Insights The channel also has a role to play in helping organizations adopt AI-enabled security capabilities responsibly
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
Brit pleads guilty amid Scattered Spider hacking spree claimsNews Tyler Robert Buchanan faces 10 years in jail if found guilty
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surge
News Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
