Teen hackers who live streamed cyber-attack on TfL jailed
- Published
Two men who carried out a cyber-attack which crippled Transport For London (TfL) when they were teenagers have both been sentenced to five years and six months in prison.
Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty in June to carrying out the hack in 2024.
They were described as computer-obsessed loners who carried out the hack as part of the cyber crime collective known as Scattered Spider.
The cyber-attack disrupted TfL's online services for months, stole the personal data of millions of people and left all 27,000 TfL employees needing to reset their passwords in person.
Woolwich Crown Court heard the criminals streamed their 16 hour long cyber-attack online.
The National Crime Agency (NCA) said the rise of young hackers in the UK as one of the biggest threats to the nation's cyber security.
Flowers was 17 and Jubair was 18 when they hacked into the capital's transport authority at 1700 on 31 August.
Telegram messages sent between the pair showed them boasting about gaining access to TfL's database of people with Oyster cards.
The teens then searched the list for the personal details of London celebrities, before attempting to access banking details.
"Scattered Spider is creating webs on the London Underground," Flowers would later joke - referring to the loosely coordinated group of young English-speaking hackers.
The group has been linked to dozens of other cyber-attacks including on retailers Marks and Spencer and the Co-op.
In the last two years young men and boys have been arrested for Scattered Spider hacks in the UK, US, Spain and Finland.
Impersonating an employee
The TfL hack saw the data of millions of customers stolen in a spree which started on a Saturday night to maximise their chances of not being discovered by staff.
As revealed by the BBC, the database is still being shared in criminal groups and contains the details of as many as 10 million TfL customers.
Jubair and Flowers, gained access to the data by tricking a phone help desk worker.
They convinced the person to reset the password of an employee they were impersonating.
TfL was alerted to the breach by the NCA and worked to kick the hackers out - but not before the criminals gained the details of millions of people.
The transport authority said the hack could have caused widespread disruption had its IT team not stopped the hackers by logging out all staff - and eventually disconnecting TfL systems from the internet.
In total, 148 technology systems became inoperable and heavily disrupted services including Dial-a-ride - used by disabled and vulnerable Londoners.
TfL says the financial impact of the hack was £29m - in addition it estimates that the incident cost £10m in lost income.
Woolwich Crown Court heard both men were loners who had few offline friends, and spent most of their time online unsupervised.
Judge Mr Justice Turner cited their young age and autism diagnoses as mitigating factors in his sentencing remarks.
Police say Flowers rarely left his house and spent most of his time in his bedroom using his computer.
As previously revealed by the BBC, he had first been given a cease and desist order for minor cyber crime in October 2023 shortly after he turned 16.
A few months later the teenager, who was living with his grandmother and uncle, committed a series of cyber offences.
Flowers was eventually arrested in September 2024 in connection with the TfL attack.
Video of his arrest shows the teenager laughing as he is taken into custody.
In the arrest raid, investigators caught Flowers in the act of hacking two US healthcare providers.
Messages he sent showed him joking about the hacks potentially "killing a 90-year-old on life support".
He pleaded guilty to offences relating to those hacks, along with the TfL cyber-attack.
Police also seized cryptocurrency holdings worth around £1m.
Although Flowers and Jubair were said to have accumulated millions of pounds in stolen or ransomed cryptocurrency, police say their motives were likely about online notoriety more than financial gain.
Like Flowers, Jubair had been known to police for years.
The court heard the single child was given his first laptop at the age of 10 by his parents - carers who moved to London from Bangladesh.
He learned how to code and by the age of 13 had begun interacting with criminals online.
He was first arrested in February 2021 at the age of 14.
In 2023, while still a juvenile, he received a Youth Rehabilitation Order for hacking with the Lapsus$ cyber crime group, which targeted major companies including Nvidia and BT.
Because he was under 18, his identity could not be reported at the time.
Jubair has 22 previous convictions related to hacking, fraud and harassment.
His defence team claimed in court the lonely and suicidal teenager was effectively groomed by older cyber criminals.
He is also wanted in the US in connection with cyber crimes against 47 US-based victims which allegedly led to $115 million paid in ransoms to Jubair and his associates.
Jubair became a high profile hacker in the community of English-speaking cyber crime known as The Com.
But a falling out led to his personal details and images being leaked online by rival hackers.
Some of the videos show Jubair apparently being held hostage and beaten but there is a suggestion this was staged by the wealthy criminal.
Woolwich Crown Court heard that whilst in prison awaiting trial, both Jubair and Flowers were discovered with contraband phones.
Recovered messages show the men continuing to discuss and coordinate future cyber-attacks.
After the sentencing NCA deputy director Paul Foster, head of its National Cyber Crime Unit, said the case highlighted the challenges posed by home grown hackers.
"The online world can expose young people to harmful influences and criminal communities far beyond their front door," he said.
"Parents, carers, educators, technology companies and law enforcement, the whole of society, we all have a role to play in helping to keep young people safe online.
He claimed Scattered Spider was "heavily degraded and disrupted" as a result of the arrests, but cyber security analyst Allison Nixon said it would do little to put off young boys from cyber crime.
"Policymakers need to address this as a violent youth gang problem, with a gang culture that idolizes the destruction of society and maximising victim harm," she said.
Two men plead guilty over £39m TfL cyber attack
- Published22 June
TfL contactless refunds return after cyber attack
- Published4 December 2024
Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.
Facts Only
* Owen Flowers, age 18 from Walsall, pleaded guilty to carrying out the hack in 2024.
* Thalha Jubair, age 20 from east London, pleaded guilty to carrying out the hack in 2024.
* The cyber-attack occurred on August 31, 2024.
* Flowers and Jubair were identified as members of the group Scattered Spider.
* Access was gained by tricking a phone help desk worker into resetting an employee's password.
* The hack resulted in the theft of data for millions of TfL customers, including details of people with Oyster cards.
* The attack caused 148 technology systems to become inoperable, disrupting services including Dial-a-ride.
* TFL estimated the financial impact was £29 million and lost income was estimated at £10 million.
* Flowers was 17 and Jubair was 18 when the hack occurred.
* The judge cited their young age and autism diagnoses as mitigating factors in sentencing.
Executive Summary
Full Take
The narrative presents a stark contrast between the scale of the criminal activity—disrupting critical public infrastructure and stealing millions of personal records—and the context surrounding the perpetrators' backgrounds. The focus shifts from the technical execution of the attack to the psychological and systemic failures that allowed this to occur. The involvement of young individuals linked to a decentralized group like Scattered Spider suggests a complex intersection of online notoriety, perceived power, and self-directed destructive behavior, rather than purely transactional financial gain, as suggested by police assessment regarding cryptocurrency.
The system’s vulnerability was exploited through social engineering—impersonating an employee—highlighting that institutional security is often contingent on human trust rather than purely technological safeguards. The sentencing notes the mitigating factors of the young hackers' ages and autism diagnoses, which frames the response within a framework that recognizes developmental context alongside criminal accountability. However, the commentary from cyber security analysts suggests that focusing solely on individual culpability overlooks the broader sociological dynamics driving youth involvement in destructive online communities, implying that addressing the root cause requires systemic interventions rather than purely punitive measures against the perpetrators. The pattern observed is one where significant real-world damage occurs through a mechanism (social engineering) facilitated by an underlying culture of unsupervised, high-risk online interaction among vulnerable individuals.
Bridge questions: What specific educational or therapeutic interventions could address the environment that allows some young individuals to gravitate toward and find purpose in destructive cyber collectives? How should accountability frameworks adjust when mitigating factors like developmental conditions are presented in sentencing for large-scale societal disruption? Does the focus on policing these networks shift responsibility away from the social and technological structures that enable such infiltration?
Sentinel — Human
The text exhibits characteristics of well-researched journalistic reporting, weaving together legal outcomes, criminal context, and expert commentary.
