Two Scattered Spider Hackers Sentenced to 5.5 Years Each for £29 Million TfL Hack

Two members of the Scattered Spider extortion group have been sentenced to 5.5 years each for the 2024 hack of Transport for London, in what UK authorities call the biggest cybercrime prosecution British courts have seen.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region6 min read
A Court building representing the sentencing of hackers behind a major transport cyberattack

A Court building representing the sentencing of hackers behind a major transport cyberattack

Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on 16 July 2026 for the 2024 hack of Transport for London, a case the UK's National Crime Agency describes as the biggest cybercrime prosecution British courts have seen.

What the attack actually did

The intrusion ran from 31 August to 3 September 2024 and left 148 TfL systems inoperable, forcing all 27,000 of the transport authority's employees into the office to have their passwords reset in person. TfL oversees an average of 9 million journeys a day, and the disruption reached well beyond back office systems. Dial-a-Ride, the booking service that gets vulnerable Londoners around the city, went down, along with the digital payments channel and the issuing of concessionary travel cards. Applications closed for Oyster photocards, the discounted fare cards used by London's children and young people, the extension of contactless ticketing slipped, and refunds crawled. TfL later confirmed that customer names, email addresses, and in some cases home addresses had been accessed, along with Oyster refund data including bank account numbers and sort codes for roughly 5,000 people. The National Crime Agency and Crown Prosecution Service put the total cost and recovery bill at £29 million.

A charge rarely used, and rarely proven

Both defendants pleaded guilty on 22 June 2026, the day their trial was due to start, to an offence under Section 3ZA of the Computer Misuse Act 1990, the Act's most serious provision. They admitted the charge on the basis that they were reckless as to whether they caused or created a significant risk of serious damage to human welfare. The Crown Prosecution Service says Flowers and Jubair are believed to be the first hackers successfully prosecuted under that section, while the National Crime Agency counts the case as only the second prosecution of its kind, a discrepancy neither agency has clarified but which likely reflects the difference between charges brought and charges that resulted in conviction.

How large the hypothetical damage actually was

Investigators say the pair's private chats suggested an intention to wipe their access on the way out. That is the source of the case's most striking figure: the National Crime Agency estimates that a successful shutdown of the network could have cost the UK economy up to £56 billion, a hypothetical the Crown Prosecution Service also puts in the billions. It stayed hypothetical because TfL pulled its own network down to contain the intrusion before that outcome could unfold, a decision that materially limited the damage at the direct cost of the operational disruption that followed.

How the case came together

Flowers was arrested at his home on 6 September 2024, just three days after the TfL intrusion ended, and the National Crime Agency says officers found him mid attack against two US healthcare organisations, SSM Health Care Corporation and Sutter Health, at the time of his arrest. Investigators seized laptops, hard drives, and USB sticks, including one device holding a screenshot of network connectivity to TfL infrastructure and videos Flowers had recorded of Jubair moving through TfL systems during the attack itself. The pair coordinated over Telegram while the intrusion was underway and shared an online workspace throughout. Flowers separately pleaded guilty to two further counts tied to the US healthcare attacks, including a threat to lock down systems that prosecutors say he acknowledged in chat logs might kill a patient on life support.

Scattered Spider, and what comes next

The National Crime Agency describes both men as leading members of Scattered Spider, the extortion crew also tracked under the names Octo Tempest, UNC3944, and 0ktapus, which the FBI ties to data extortion, SIM swapping, and social engineering across dozens of victims since 2022. Jubair faces a separate, still open case in the United States, where a complaint unsealed in New Jersey in September 2025 accuses him of computer fraud, wire fraud, and money laundering conspiracies tied to roughly 120 network intrusions and more than 115 million dollars in ransom payments across at least 47 US victims, including a critical infrastructure company and the US Courts system. Neither the Justice Department's announcement nor Thursday's UK releases addressed extradition, and the maximum sentence across all US counts is 95 years.

Why the social engineering playbook still matters

Neither the NCA's nor the CPS's public releases explain exactly how Flowers and Jubair first gained access to TfL's network, but the group's established methods, and those of the closely related ShinyHunters extortion brand, are well documented elsewhere. Both rely heavily on vishing calls to employees and victim branded credential harvesting pages designed to capture single sign on logins and multi factor authentication codes, before enrolling the attacker's own device for MFA, the exact pattern seen in Microsoft's year long mapping of the ShinyHunters campaign against Salesforce. It also illustrates why push based MFA is no longer enough to stop account takeover, whether through relentless prompt bombing or a help desk that is simply talked into resetting credentials. The National Crime Agency's own guidance is direct on this point, recommending that organisations verify identity independently before actioning password resets, device enrolments, or MFA changes, precisely the manual workflows these groups exploit.

What this means beyond one prosecution

The National Crime Agency says the arrests materially degraded Scattered Spider's ability to operate, but acknowledges other criminals may continue to use the brand regardless. For enterprise security teams, the case is a useful reminder that the technical sophistication behind attacks of this scale often sits behind ordinary social engineering rather than novel exploitation. Fast, verified identity checks during a live incident matter as much as technical containment, a principle covered in more depth in what happens in the first 72 hours of a breach in the GCC. Paul Foster, who heads the National Crime Agency's National Cyber Crime Unit, said these convictions likely would not have happened had TfL not reported the incident early, a point worth weighing against any organisation's instinct to handle a breach quietly rather than engaging law enforcement from the outset.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Threat IntelligenceSocial Engineering and Identity SecurityCybercrime Prosecutions