Scattered Spider members plead guilty in Transport for London hack

▼ Summary
– Two members of the ‘Scattered Spider’ group, Thalha Jubair (20) and Owen Flowers (18), pleaded guilty to hacking Transport for London (TfL) systems between August 31 and September 3, 2024.
– The cyberattack caused £29 million in financial damage, forced all 28,000 TfL employees to reset passwords, and disrupted customer refund services by accessing the Oyster refund system.
– Investigators seized devices from Flowers’ home, including a laptop with evidence of TfL system connectivity and access to a stolen credentials marketplace, and found that the hackers communicated via Telegram and a shared platform.
– Flowers was also linked to intrusions at two American healthcare organizations, SSM Health Care Corporation and Sutter Health, and breached his bail conditions twice in 2025.
– The pair changed their pleas to guilty on the first day of trial at Woolwich Crown Court, with sentencing rescheduled for July 16.
Two members of the Scattered Spider cybercrime group have admitted guilt in connection with the 2024 Transport for London (TfL) hack, a breach that disrupted services across the capital and caused tens of millions in losses.
Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty on the first day of their trial at Woolwich Crown Court. Both had previously denied involvement in the attack, which targeted TfL’s systems between August 31 and September 3, 2024.
TfL, the public body overseeing London’s vast transportation network, handles millions of daily journeys. The September 2024 cybersecurity incident caused operational chaos that lasted for days. Attackers gained access to the Oyster refunds system, disrupting customer refunds and delaying payments for some users.
On September 12, 2024, TfL confirmed that customer data had been stolen. That same day, the UK’s National Crime Agency (NCA) announced Flowers’ arrest. Jubair and Flowers were later arrested on September 18, 2025, after investigators uncovered evidence linking them to the TfL breach and other crimes. Flowers violated his bail conditions twice, in March and May 2025.
The NCA revealed that the attack forced all 28,000 TfL employees to visit local offices to reset their passwords. The financial damage to the public transport organization reached £29 million ($38.3 million).
“The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers,” said NCA Deputy Director Paul Foster. “Today’s result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances.”
Investigators seized multiple devices from Flowers’ home, including a laptop containing a screenshot showing connectivity to TfL infrastructure, evidence of access to a marketplace selling stolen credentials, and videos of Jubair breaching TfL systems. The hackers communicated via Telegram and a shared online collaboration platform during the intrusion, the NCA stated.
Beyond TfL, authorities have linked Flowers to intrusions at SSM Health Care Corporation and Sutter Health, both American healthcare organizations.
The two Scattered Spider members were scheduled to stand trial on June 22, but the sentencing was moved to July 16 after they changed their plea.
(Source: BleepingComputer)
