Scattered Spider Hackers Plead Guilty to £39m TfL Cyberattack Affecting 10 Million Two members of the notorious hacking group Scattered Spider Thalha Jubair (20) and Owen Flowers (18) pleaded guilty to a 2024 cyberattack on Transport for London (TfL) that disrupted services, compromised customer data, and incurred £39 million in damages. The attack, carried out between 29 August and 3 September 2024, targeted TfL’s digital infrastructure, disabling live tube arrival updates on the TfL Go app and website, halting Oyster and contactless payment processing, and preventing new Oyster photocards from being issued. The breach exposed the personal data of 10 million TfL customers, prompting the agency to notify 7 million users via email. The National Crime Agency (NCA) confirmed the pair accessed TfL’s refunds system, delaying reimbursements and leaving some customers financially impacted. Both defendants admitted conspiring to commit unauthorised acts against computer systems under the Computer Misuse Act at Woolwich Crown Court on 1 July 2024. Flowers also pleaded guilty to hacking two US healthcare providers SSM Health Care Corporation and Sutter Health on 6 September 2024. Jubair faces additional charges in the US, where he is accused of participating in attacks on 47 organisations, allegedly extorting over $100 million in ransom payments. The NCA described the duo as part of a growing trend of homegrown, English-speaking cybercriminals, a shift from the historically dominant Russian-speaking hacking groups. Investigators recovered laptops, hard drives, and USB sticks from Flowers’ home, including screenshots of TfL network access and videos of Jubair breaching systems. The pair communicated via Telegram and a remote collaboration tool during the attack. Financial records revealed $10 million moved from Jubair’s crypto wallets after his release from custody in March 2023, with $200 million in crypto transactions linked to his accounts. Flowers, despite having no legitimate income, held $7.1 million in assets, including cryptocurrency. Both defendants have autism diagnoses, while Jubair also suffers from depression and a severe mood disorder. He was previously convicted of 22 offences, including fraud, blackmail, and hacking BT, EE, and Nvidia at age 17, and was under a youth rehabilitation order at the time of the TfL attack. Authorities also discovered an undeclared Bangladeshi passport hidden in his home. Sentencing for Jubair and Flowers is scheduled for 15 July 2024, with both remanded in custody. The case underscores the real-world consequences of cybercrime, as highlighted by the NCA, which noted the attack’s widespread disruption to London’s transport network.

Two Men Plead Guilty in £39m TfL Cyber Attack Disrupting Millions Two UK men, Thalha Jubair (20) and Owen Flowers (18), pleaded guilty to charges related to a major cyber attack on Transport for London (TfL) that caused three months of disruption and financial losses exceeding £39 million. The attack, carried out in summer 2024, was linked to the cybercriminal group Scattered Spider and targeted TfL’s Oyster refund system, customer refund portal, and the application system for child and youth Oyster photocards. The breach, which began on 31 August 2024, left 10 million customers affected, with some unable to access refunds for extended periods. Digital signage and online services were also disrupted, forcing TfL to notify thousands of customers about unauthorized access to personal data. Investigators from the National Crime Agency (NCA) and City of London Police seized laptops, hard drives, and USB devices from the suspects’ homes, uncovering evidence including screenshots and videos of their unauthorized access to TfL’s systems. Both men were arrested on 16 September 2024 and admitted to conspiring to commit unauthorized acts under the Computer Misuse Act. Flowers also pleaded guilty to attempting to hack U.S.-based healthcare systems, including Sutter Health and SSM Healthcare Corporation. Authorities noted that the pair used Telegram and an online collaborative workspace to coordinate their activities, with Flowers accessing tools selling breached credentials. The NCA described the investigation as "lengthy, highly complex, and painstaking," while TfL’s Transport Commissioner, Andy Lord, acknowledged the real-world impact of the attack. The men will be sentenced on 15 July 2025. The case underscores the growing threat of cybercrime to critical national infrastructure, with law enforcement emphasizing its tangible consequences for public services.