Teen hackers jailed 11 years for £29m TfL cyberattack livestream
Teen hackers jailed 11 years for £29m TfL hack

Two teenagers who paralysed Transport for London (TfL) in a £29 million hack and livestreamed the attack have been jailed for 11 years. Thalha Jubair, 19, and Owen Flowers, 18, spent six days inside TfL’s servers using log-ins of its chief information security officer after requesting a password reset.

Attack on critical infrastructure

The pair infiltrated so deeply they obtained the highest privileged access, known as ‘the keys to the kingdom’. They stopped all contactless and Oyster payments, prevented live Tube info on TfL’s apps and website, and even viewed celebrities’ accounts. TfL ‘pulled the plug’ on the entire system, resetting the passwords of all 27,000 staff.

Judge Mr Justice Spencer jailed each of them for five and a half years, saying despite their relative youth and neurodiversity, the offending is ‘so serious that I have no alternative but to pass a sentence of immediate custody’. He told them: ‘I am satisfied that your actions were primarily motivated by selfless bravado, heedless of the severe consequences for others.’

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Scattered Spider gang

Flowers, who lived with his grandma in Walsall, and Jubair, of Bow, east London, were in cyberhacking gang Scattered Spider, which made millions from blackmail, Woolwich crown court heard. The loosely organised gang of young mainly English-speaking cyber-criminals has been linked to dozens of other attacks, including high-profile hacks on Jaguar Land Rover, costing an estimated £1.9 billion, Marks and Spencer and the Co-op.

M&S was targeted by the hackers in April last year, with the retailer shutting a raft of systems down in response on Easter Sunday. The company said the cyber-attack cost the firm around £300 million after it shut down its website for six weeks. Meanwhile, Co-op saw payments disrupted and shelves left empty the following month because of the fallout of its cyber-attack. Hackers also stole Co-op members’ personal data, such as names and contact details. Around the same time, Harrods restricted internet access across its websites following attempts to gain unauthorised access to its systems. Those attacks caused losses of £206 million.

Prosecution details

Prosecutor Mark Fenhalls KC called the TfL hack an ‘unprecedented attack on critical national infrastructure… remarkably sophisticated, on a grand scale’. He added: ‘The consequences were extremely serious, both in disruption to the public, and remedial work that occupied thousands of hours of work by many, many people, and ultimately cost the public purse £29 million.’ He told of a ‘potential consequential loss of £56 billion to the UK economy had they encrypted or destroyed OneLondon – a central TfL system they gained administrative rights’ to.

The pair carried out the hack between August 31 and September 3, 2024. At one stage during the attack – in August and September 2024 – Jubair bragged on a hackers’ forum: ‘Scattered Spider is creating webs on the undergrund (sic).’ Flowers responded: ‘LOL… this was me.’ Mr Fenhalls said: ‘They searched for and browsed various celebrities and viewed their details stored in the system but were unable to fully access credit card details.’

Other crimes and backgrounds

Flowers also admitted hacking two US healthcare companies. During one attack he messaged an associate that ‘we might be able to extort… but locking is risky might kill some 90yr old on life support’. Mr Fenhalls said the pair filmed themselves hacking TfL, allowing investigators to see how they worked. At one stage they worked together continuously for 16 hours.

Flowers and Jubair admitted conspiracy to commit unauthorised acts in relation to a computer and causing or creating a significant risk of serious damage to human welfare. Jubair and Flowers both have histories of cyber-related activity. At 16, Flowers was visited by a Cyber Choices preventive policing team in October 2023, where he was served with a cease and desist notice over ‘swatting’ – false 911 calls in the US to draw an armed police response. He declined to take part in a rehab programme. When arrested in 2024, he had no income but $7.1 million, including crypto, was in accounts he controlled.

Pickt after-article banner — collaborative shopping lists app with family illustration

Jubair previously hacked BT, EE and computer chip giant Nvidia, and has convictions for 22 offences including 13 frauds. He was subject to a youth rehabilitation order at the time of the TfL offences. He is also wanted in the US, where he faces up to 95 years in jail. At least $200 million in crypto was moved through his accounts in 2025. He was also convicted of stalking two young women at a youth court and hacking into a City of London Police server. Both defendants have been diagnosed with autism, while Jubair also suffers from depression and a severe mood disorder.