Scattered Spider-Linked Pair Plead Guilty in Transport for London Cyberattack
Two men, Thalha Jubair and Owen Flowers, pleaded guilty under the UK Computer Misuse Act for their roles in the 2024 cyberattack on Transport for London (TfL), an intrusion investigators linked to the Scattered Spider cybercrime ecosystem. Authorities said the attackers accessed TfL’s network between 31 August and 3 September 2024, disrupting Oyster refund processing, temporarily affecting children’s and young people’s photocard applications, and forcing all 28,000 employees to reset passwords in person after trust in internal identity systems was lost. The breach is reported to have affected about 10 million customers and caused losses and recovery costs estimated between £29 million and £39 million.
The National Crime Agency, City of London Police, British Transport Police, and regional officers said a lengthy investigation produced digital evidence including screenshots showing connectivity to TfL infrastructure, videos of system access during the intrusion, Telegram communications, and activity on an online collaboration platform. Investigators also alleged that Flowers was linked to intrusions involving U.S. healthcare organizations including SSM Health and Sutter Health. Both defendants remain in custody and are due to be sentenced in July 2026, as officials cite the case as a warning about the operational impact of cyberattacks on critical infrastructure and the growing role of young, English-speaking offenders in serious cybercrime.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Sentencing dates set for the two defendants
The defendants were scheduled for sentencing in July 2026, with reporting citing hearings on 15 and 16 July 2026. One source summarized the sentencing as set for July 16.
Investigators arrested suspects and seized digital evidence
In 2025, National Crime Agency and City of London Police investigators arrested the suspects in connection with the TfL intrusion. Authorities said they seized devices and recovered evidence including screenshots of TfL access, videos of system access, and Telegram and collaboration-platform communications.
Jubair and Flowers pleaded guilty over TfL cyberattack
Two young men, Thalha Jubair and Owen Flowers, pleaded guilty in London under the UK Computer Misuse Act for their roles in the 2024 cyberattack on Transport for London. Authorities linked them to the Scattered Spider ecosystem and said the attack affected millions of customers and caused major financial losses.
Two men changed pleas to guilty before trial
Shortly before their trials were due to begin, Thalha Jubair and Owen Flowers reportedly changed their pleas to guilty over offenses tied to the TfL cyberattack. Reporting said the case concerned a major incident that caused months of disruption and tens of millions of pounds in losses.
NCA and City of London Police arrested two TfL cyberattack suspects
The National Crime Agency said two men were arrested at their home addresses on 16 September 2024 in a joint investigation with the City of London Police into the TfL cyberattack. Investigators seized multiple digital devices, including a laptop with a screenshot showing connectivity to TfL infrastructure, videos appearing to show access to TfL systems, and evidence of Telegram and collaborative-workspace communications.
Investigators linked seized evidence to intrusions at two US healthcare firms
The National Crime Agency said evidence recovered during Owen Flowers’ arrest indicated intrusions affecting SSM Health Care Corporation and Sutter Health in the United States. This introduced two additional victim organizations beyond Transport for London.
Attackers breached TfL systems over four days
Transport for London's network was intruded between 31 August and 3 September 2024. The breach disrupted Oyster refund processing and related customer services and ultimately forced all 28,000 employees to reset passwords in person.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
Teens who hacked TfL were known to police years before cyber-attack
bbc.co.uk
Open sourceteiss - News - Hackers behind cyber attack on Transport for London plead guilty ahead of trial
teiss.co.uk
Open sourceBritish Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health
hipaajournal.com
Open sourceTwo men plead guilty in UK for cyberattacks on Transport for London | brief | SC Media
scworld.com
Open sourceTfL Hackers Plead Guilty to Avoid Lengthy Trial -
enterprisetimes.co.uk
Open sourceTwo men, believed to part of Scattered Spiders, plead guilty over £39m TfL cyber attack - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceTwo men plead guilty over £39m Transport for London cyber attack
bbc.com
Open sourceCyber criminals who hacked into Transport for London's computer network are convicted - National Crime Agency
nationalcrimeagency.gov.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Scattered Spider-Linked Teenagers Plead Not Guilty to Transport for London Cyberattack
Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded not guilty to charges stemming from a cyberattack on Transport for London (TfL) in August 2024. The attack, attributed to the Scattered Spider hacking collective, caused significant disruption to TfL's online services and internal systems, impacting the agency's ability to process refunds and initially believed not to have compromised customer data. However, a later update from TfL confirmed that customer information, including names, addresses, and contact details, was exposed during the breach. Both suspects were arrested by the UK National Crime Agency and City of London Police, and the charges they face are among the most severe under English law for cyber offenses, carrying a maximum sentence of life imprisonment. In addition to the TfL incident, Owen Flowers faces further charges for allegedly conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States, while Thalha Jubair is also charged with refusing to provide device passcodes to investigators. The U.S. Department of Justice has unsealed a complaint against Jubair for related computer crimes. The case highlights the international scope of the investigation and the serious legal consequences for those accused of high-impact cyberattacks targeting critical infrastructure and healthcare organizations.
Mar 21, 2026
Scattered Spider Member Pleads Guilty in $8 Million SMS Phishing and Crypto Theft Scheme
Tyler Robert Buchanan, a 24-year-old British national from Dundee, Scotland, pleaded guilty in U.S. federal court in California to **conspiracy to commit wire fraud** and **aggravated identity theft** for his role in Scattered Spider’s large-scale social-engineering operation. Prosecutors said Buchanan and co-conspirators ran SMS phishing campaigns from September 2021 to April 2023 that impersonated corporate IT help desks and labor providers, used fake login pages and stolen credentials, and carried out SIM swapping to breach companies and individuals. The Justice Department said the scheme stole at least **$8 million in virtual currency** from U.S. victims across telecommunications, technology, cloud communications, outsourcing, gaming, and cryptocurrency sectors. Investigators tied Buchanan to the 2022 **0ktapus** campaign, which used fake Okta login pages to compromise more than 130 organizations, including **Twilio** and **Cloudflare**, and enabled downstream attacks affecting other major brands. Authorities said stolen credentials were funneled into a Telegram channel administered by Buchanan and an associate, and searches of his residence in Scotland uncovered victim company files, personal data, and roughly 20 devices. Buchanan was arrested in Palma de Mallorca by Spanish authorities, extradited to the United States, and has been in federal custody since April 2025; he now faces up to 22 years in prison, underscoring continued law-enforcement pressure on the loosely organized Scattered Spider group, an offshoot of **The Com**.
Apr 24, 2026
US Charges Five Alleged Scattered Spider Members Over SMS Phishing and Crypto Theft
U.S. prosecutors unsealed charges against five men allegedly linked to the **Scattered Spider** cybercrime ecosystem, accusing them of running a large-scale scheme that used SMS phishing, spoofed login pages, social engineering, stolen employee credentials, email hijacking, and SIM swapping to compromise companies and individuals. Court filings say the operation targeted technical employees across the United States between September 2021 and April 2023, enabling the theft of non-public corporate data, personal identifiers, and **millions of dollars in cryptocurrency**. Four suspects were charged in the United States with conspiracy to commit wire fraud, while a separate complaint was filed against a fifth defendant in the United Kingdom. The case adds to mounting law-enforcement scrutiny of Scattered Spider, a loose English-speaking threat actor network also tracked under multiple aliases and associated with the broader **"Com"** ecosystem. Authorities and researchers have linked the group to high-profile intrusions and collaborations with ransomware operations including **BlackCat/ALPHV**, **Qilin**, and **RansomHub**, as well as incidents affecting MGM Resorts, Clorox, Snowflake-linked victims, and later investigations into the hacks at **Marks & Spencer** and **Co-op**. The charges mark a significant escalation in efforts to disrupt a group known for blending phishing, identity takeover, and extortion-focused intrusion tactics.
May 25, 2026