UK arrests teens behind ‘Scattered Spider’ Transport for London hack
▼ Summary
– Two UK teenagers, Owen Flowers and Thalha Jubair, have been arrested for their alleged involvement in the August 2024 cyberattack on Transport for London.
– Both suspects are believed to be members of the Scattered Spider hacking collective and face charges for computer misuse and fraud related to the TfL breach.
– The attack caused significant disruption and financial losses to TfL, though it did not affect transportation services, but did compromise customer data including names and contact details.
– Flowers faces additional charges for conspiring to attack U.S. healthcare companies, while Jubair has been charged by the U.S. Department of Justice for global cybercrimes involving at least 120 network breaches and $115 million in ransom payments.
– The NCA had previously warned of increasing cyber threats from UK-based criminals and arrested four other suspected Scattered Spider members in July for attacks on major retailers.
British authorities have apprehended two teenagers in connection with a major cyberattack on Transport for London that took place in August 2024. The suspects, identified as 18-year-old Owen Flowers from Walsall and 19-year-old Thalha Jubair from East London, are thought to be affiliated with the notorious Scattered Spider hacking group. Both are due to appear at Westminster Magistrates Court today.
Flowers had previously been detained in September 2024 over his alleged role in the TfL incident but was later released on bail. Since that time, the National Crime Agency uncovered further evidence suggesting his involvement in attacks targeting healthcare providers in the United States.
The pair now face charges related to computer misuse and fraud stemming from the breach of London’s public transport systems. Flowers is additionally accused of conspiring to attack the networks of SSM Health Care Corporation and Sutter Health based in the U.S.
Deputy Director Paul Foster, who leads the NCA’s National Cyber Crime Unit, emphasized the severity of the incident. He stated, “This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.” Foster also highlighted the growing threat posed by cybercriminals operating from the UK and other English-speaking nations, naming Scattered Spider as a prominent example.
In a parallel development, the U.S. Department of Justice charged Jubair with conspiracy to commit computer fraud, money laundering, and wire fraud. The charges relate to a sweeping campaign of network intrusions and extortion activities affecting at least 47 American organizations between May 2022 and September 2025. A complaint filed in the District of New Jersey alleges that victims paid over $115 million in ransom to Jubair and his associates.
TfL publicly acknowledged the August 2024 cyberattack on September 2, initially reporting no evidence of customer data exposure. However, the breach did interrupt internal operations, online services, and refund processing. A later update confirmed that personal information—including names, contact details, and addresses—had indeed been compromised.
As one of the largest public transit operators in the UK, TfL serves more than 8.4 million Londoners through its integrated network of buses, underground trains, and Crossrail services, managed in collaboration with the Department for Transport.
This is not the first time TfL has been targeted. In May 2023, the Clop ransomware group exfiltrated data belonging to over 13,000 customers from a supplier’s MOVEit file transfer server.
The NCA’s recent actions are part of a broader crackdown on cybercrime. Just last July, four other individuals believed to be members of Scattered Spider were arrested for their suspected roles in attacks against major British retailers such as Marks & Spencer, Harrods, and Co-op.
(Source: Bleeping Computer)
