Scattered Spider members behind TfL hack get five years in prison
by Sergiu Gatlan · BleepingComputerTwo leading members of the Scattered Spider cybercrime collective were sentenced to five years and six months in prison each for hacking Transport for London (TfL) in 2024.
On September 2, 2024, TfL (which provides transportation services to more than 8.4 million Londoners) disclosed that its network was breached in August 2024, with the attack disrupting internal systems and online services.
Affected services and platforms included TfL's Dial-a-Ride service, concessionary travel cards, digital payments, and contactless ticketing rollout, as well as the public transportation agency's ability to process refunds. Additionally, 148 systems became inoperable across TfL's network, and all 27,000 TfL employees had to reset their passwords in person after the breach.
While TfL reported £29 million in losses and recovery costs after the attack, officials estimated that the UK economy could have lost up to £56 billion had the threat actors succeeded in shutting down the transport network.
TfL revealed on September 12, 2024, that the attackers had also stolen customer data (including names, addresses, and contact details). Four days later, on September 16, officers from the City of London Police and the UK National Crime Agency (NCA) arrested 20-year-old Thalha Jubair and 18-year-old Owen Flowers at their homes.
Investigators said that Flowers was also in the process of hacking U.S. healthcare companies Sutter Health and SSM Health Care Corporation, and that, at the time of his arrest, devices seized from him included evidence of the TfL intrusion.
Both pleaded guilty last month under the Computer Misuse Act and were sentenced today to five years and six months in prison each.
NCA Deputy Director Paul Foster described Scattered Spider as "the most significant cybercrime threat to the UK in recent years," and he credited TfL's early cooperation with law enforcement for enabling the convictions.
"These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances," Foster said. "We will continue working with partners in the UK and overseas to identify offenders and bring them to justice."
The U.S. Department of Justice also charged Jubair in September 2025 with conspiracy to commit computer fraud, money laundering, and wire fraud in connection with at least 120 network breaches between May 2022 and September 2025.
According to court documents, these attacks affected dozens of U.S. organizations, including critical infrastructure entities and U.S. courts, with Jubair and his accomplices extorting over $115 million from victims worldwide between August 2024 and July 2025.
In July 2025, the NCA arrested four other suspected Scattered Spider members believed to be linked to a wave of cyberattacks against major UK retailers, including Harrods, Marks & Spencer, and Co-op.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.