Two British cybercriminals from the Scattered Spider hacking group have pleaded guilty to a cyber-attack on Transport for London (TfL) in September 2024 that cost £39 million and affected 10 million people. Thalha Jubair, 20, and Owen Flowers, 18, entered their guilty pleas at Woolwich Crown Court on Monday, the first day of what was scheduled to be a six-week trial.
Details of the Attack
The attack occurred between 29 August and 3 September 2024, disrupting TfL services including live tube arrival information on the TfL Go app and website. TfL was also unable to process payments on Oyster and contactless apps or register Oyster cards to customer accounts. The National Crime Agency (NCA) stated that the hackers accessed TfL's refunds system, leaving some customers out of pocket for longer than usual, and shut down the application system for Oyster photocards for children and young people.
TfL confirmed that it had emailed over 7 million customers in September 2024 to inform them about the incident and that some customer data may have been taken. The BBC reported that 10 million TfL customers had their data stolen. TfL handles up to 5 million passenger journeys daily on the London Underground alone.
Guilty Pleas and Charges
Jubair, of Bow in east London, and Flowers, of Walsall in the West Midlands, both admitted conspiring to commit unauthorised acts against computer systems belonging to TfL, causing risk of serious damage to human welfare. Flowers also admitted hacking two US healthcare companies: SSM Health Care Corporation and attempting to hack Sutter Health on or about 6 September 2024.
The pair were remanded in custody by Mr Justice Turner, with a two-day sentencing hearing set for 15 July. Flowers denied two further hacking charges, which were ordered to lie on file.
Scattered Spider Connection
The NCA described both defendants as members of Scattered Spider, an online criminal collective known for targeting high-profile organisations. Paul Foster, head of the NCA's national cyber crime unit, said: “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cybercriminals based in the UK and other English-speaking countries, epitomised by Scattered Spider.” He added that cybercrime has “real-world consequences and impacts hugely on the public” despite appearing “faceless and distant”.
Investigators found devices at Flowers' home, including a laptop containing a screenshot showing network connectivity to TfL infrastructure and videos of Jubair accessing TfL systems during the attack. The pair communicated via Telegram and an online collaboration tool.
Financial and Personal Background
Previous hearings revealed that $10 million was moved from Jubair's crypto wallets after his release from custody in March 2024, and $200 million worth of crypto had passed through his accounts. Flowers held $7.1 million including crypto in accounts he controlled, despite having no source of income. Both defendants have been diagnosed with autism; Jubair also has depression and a severe mood disorder.
Jubair has been convicted of 22 offences, including 13 counts of fraud, two of unauthorised computer access, and one count of blackmail. At the time of the TfL offences, he was subject to a youth rehabilitation order from hacking BT, EE, and Nvidia at age 17. Police also found a Bangladeshi passport hidden down the back of his sofa.
