**Teenagers Sentenced for Major Transport for London Cyberattack**
Two teenagers, Owen Flowers (18) and Thalha Jubair (20), have been sentenced at Woolwich Crown Court for their roles in a significant cyberattack on Transport for London (TfL) in 2024. On Thursday, 16 July 2026, each was sentenced to five and a half years in prison.
The attack, which took place between 31 August and 3 September 2024, left 148 TfL systems inoperable. This forced all 27,000 transport authority employees to visit an office in person to reset their passwords. The National Crime Agency (NCA) and the Crown Prosecution Service (CPS) estimate that TfL’s losses and recovery costs amounted to £29 million. Both defendants pleaded guilty on 22 June 2026 to Section 3ZA of the Computer Misuse Act 1990, a charge they admitted on the basis of being reckless as to whether they caused or created a significant risk of serious damage to human welfare.
This case is believed to be the first successful prosecution under Section 3ZA, and the NCA notes it is only the second prosecution of its kind. The NCA has called it the biggest cybercrime prosecution seen in UK courts. The intrusion caused widespread disruption, affecting services such as Dial-a-Ride, digital payments, and the issuance of concessionary travel cards. Applications for Oyster photocards for children and young people were closed, and contactless ticketing extensions were delayed. While TfL stated that names, email addresses, and potentially Oyster refund data (including bank details for around 5,000 people) were accessed, the attackers’ specific plans were halted when TfL pulled its network down.
The NCA estimated that a full network shutdown could have caused up to £56 billion in economic damage. Flowers was arrested at home on 6 September 2024, just three days after the attack ended. During the arrest, officers found he was actively attacking two US healthcare organisations: SSM Health Care Corporation and Sutter Health. Evidence seized included laptops, computers, hard drives, and USB sticks, with a laptop containing screenshots and videos of the attack. Messages on Telegram linked the pair during the operation.
Prosecutors confirmed Flowers connected to the remote server used for all three attacks, with his devices linking him to them. Information obtained overseas helped place Jubair at the TfL intrusions. Both men are described as leading members of Scattered Spider (also known as Octo Tempest, UNC3944, and 0ktapus), an extortion-focused hacking group. The FBI has tied the group to data extortion, SIM swapping, and social engineering.
While the NCA claims the arrests effectively halted the group, the CPS has been more cautious, noting the defendants claimed membership in a group prosecutors believe conducted hundreds of attacks between 2022 and 2025.
**FAQ**
**What happened to Thalha Jubair in the US?**
A complaint unsealed in New Jersey in September 2025 accuses Jubair of computer fraud, wire fraud, and money laundering conspiracies. The scheme is alleged to include around 120 network intrusions and at least 47 US victims between May 2022 and September 2025, with over $115 million paid in ransoms. Prosecutors also allege he was involved in intrusions at US critical infrastructure and the US Courts, moving about $8.4 million in cryptocurrency. The maximum sentence across all counts is 95 years.
**Is the Scattered Spider group finished?**
The NCA believes its actions against the two men have effectively halted the group’s operations and degraded its ability to function. However, they acknowledge that other criminals may continue to use the Scattered Spider brand. Similar extortion campaigns under names like ShinyHunters have been tracked expanding by other threat actors.
**How did the attackers initially gain access to TfL?**
The exact initial entry point has not been publicly disclosed. However, the NCA and Microsoft have highlighted that attackers often exploit weaknesses in manual workflows, such as password resets and device enrollment, through social engineering. Strengthening identity verification in these processes is key to preventing such attacks.
**Why was the case prosecuted under Section 3ZA?**
Section 3ZA of the Computer Misuse Act 1990 is the most serious charge under the act, applied when actions are reckless as to whether they cause or create a significant risk of serious damage to human welfare. This charge is rarely used, making this prosecution a landmark case.
**What other crimes was Owen Flowers charged with?**
In addition to the TfL hack, Flowers admitted to charges related to attacks on two US healthcare organisations, a conspiracy against SSM Health, and an attempt against Sutter Health. He acknowledged in chats that attacks could risk lives, saying it “might kill some 90-year-old on life support.”
**Why didn’t the attack cause more damage?**
TfL’s decision to disconnect its network prevented the attackers from achieving a full shutdown, which prosecutors said could have caused billions in economic damage. This action limited the real-world impact, though the potential for widespread disruption was severe.
**Conclusion**
The sentencing of Owen Flowers and Thalha Jubair marks a significant moment in UK cybercrime enforcement, highlighting the growing legal frameworks around digital offences. Their attack on Transport for London caused major disruption but was contained before reaching its most damaging potential. This case underscores the importance of robust identity verification, rapid incident reporting, and law enforcement collaboration. As campaigns like Scattered Spider evolve, the convictions serve as a deterrent and a reminder of the severe consequences faced by those who exploit technological vulnerabilities for extortion and disruption.



