Two Scattered Spider Members Sentenced to Prison Over £29 Million TfL Cyberattack


Two Scattered Spider Members Sentenced to Prison Over £29 Million TfL Cyberattack

Pierluigi Paganini
July 16, 2026

Two members of the Scattered Spider cybercrime group received jail sentences in the UK for the 2024 cyberattack on Transport for London.

A UK court sentenced two Scattered Spider members, Thalha Jubair (20) and Owen Flowers (18), for their role in the 2024 cyberattack on Transport for London (TfL). Transport for London (TfL) is a local government body responsible for most of the transport network in London, United Kingdom.

The attack disrupted transport services, including Dial-a-Ride for vulnerable passengers, concessionary travel cards, digital payments, and the rollout of contactless ticketing. The attack also exposed customer data from the Oyster refunds system and delayed customer refunds and travel card applications.

All 27,000 employees had to reset their passwords, while 148 systems went offline, forcing staff to rely on manual processes.

The incident cost TfL an estimated £29 million ($39 million); however, the NCA reported that a complete shutdown could have caused up to £56 billion in economic damage.

The case marks another law enforcement success against one of the most active cybercrime groups targeting major organizations.

TfL estimates the attack cost £29 million, while a complete shutdown could have caused up to £56 billion in economic damage.

In September 2025, the National Crime Agency (NCA) arrested the two teenagers at their home addresses.

The law enforcement first arrested Flowers for the TfL attack, and investigators found evidence linking him to intrusions against U.S. healthcare providers SSM Health Care Corporation and Sutter Health. Authorities seized laptops, hard drives and USB devices, including one containing a screenshot of TfL network access.

Investigators also found videos showing Jubair accessing TfL systems during the attack while the two exchanged messages on Telegram and collaborated through an online workspace. Flowers was later arrested for breaching bail conditions, while Jubair faced additional charges for refusing to provide device passwords.

Both were charged with conspiring together to commit unauthorised acts against TfL, under the Computer Misuse Act.

“They both pleaded guilty to the attack last month in what was only the second criminal prosecution of its kind in the UK under the Computer Misuse Act (CMA).” reads the press release published by the NCA. “Section 3ZA of the CMA is the most serious section as it applies where the unauthorised act causes or creates a significant risk of serious damage, and the person intends or is reckless as to that damage.”

They were each sentenced to five years and six months in prison in what UK authorities described as the country’s largest cybercrime prosecution to date.

Although hackers continued using the Scattered Spider name into early 2026, UK authorities say the arrests of Jubair and Flowers effectively dismantled the group’s core operations. Microsoft also assessed that the arrests significantly reduced the group’s ability to carry out cyberattacks.

“Although other cybercriminals may continue to use the damaged Scattered Spider brand, the NCA’s action against Jubair and Flowers effectively halted the group’s criminal activity.” states NCA. “Independent assessment supports this, with Microsoft confirming that the arrests materially degraded the group’s ability to continue conducting cybercriminal operations.”

In July, Peter Stokes, 19, an alleged Scattered Spider member known online as “Bouquet,” was extradited from Finland to the U.S. to face hacking, fraud, and extortion charges. Prosecutors say he took part in multiple cyberattacks, including a 2025 breach of a luxury jewelry retailer where attackers allegedly stole data and demanded about $8 million in cryptocurrency.

“Among other offenses, the complaint alleges that Stokes and other co-conspirators breached a luxury jewelry retailer’s computer system, exfiltrated data from the company, and made a ransom demand of approximately $8 million in cryptocurrency in May 2025.” reads the press release published by DoJ. “The retailer’s security personnel successfully evicted the threat actors from the company’s computer network and no ransom was paid. The retailer nonetheless suffered a loss of at least $2 million due to business disruption, investigation, and mitigation of the threat.”

He was arrested in Finland in April on an Interpol Red Notice.

U.S. officials said Scattered Spider (aka Octo TempestUNC3944, and 0ktapus) has caused major disruption by targeting American companies, stealing data, encrypting systems, and demanding cryptocurrency payments. The FBI warned that the group has cost businesses millions of dollars and disrupted critical operations. Authorities pledged to continue working with international partners to identify, disrupt, and prosecute members of the group, regardless of where they operate.

The cybercrime group is suspected of hacking into hundreds of organizations over the past two years, including TwilioLastPassDoorDash, and Mailchimp.

Scattered Spider members are part of a broader cybercriminal community called “The Com,” where hackers brag about high-profile cyber thefts, typically initiated through social engineering tactics like phone, email, or SMS scams to gain access to corporate networks.

In April 2026, Tyler Buchanan, a 24-year-old from Scotland, also linked to the Scattered Spider group, admitted in a US court that he hacked dozens of companies, committed fraud, and stole millions in cryptocurrency. Spanish police arrested the British national in Palma de Mallorca while attempting to fly to Italy. During the arrest, police confiscated a laptop and a mobile phone. The arrest resulted from a joint operation conducted by the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

In April 2025, Noah Urban, 20, linked to Scattered Spider (UNC3944), pleaded guilty in Florida and California to conspiracy, wire fraud, and identity theft. He admitted involvement in phishing and fraud operations, including stealing at least $800,000 in crypto from victims between Aug 2022 and Mar 2023. He also helped export stolen data and run multi-state cybercrime activities tied to the group.

In November 2025, two British teenagers, Thalha Jubair (19) and Owen Flowers (18), accused of links to Scattered Spider, pleaded not guilty in Southwark Crown Court to charges under the Computer Misuse Act. They are alleged to have conspired in a cyberattack against Transport for London (TfL) in 2024. Both were arrested in September by the NCA and formally denied the accusations in court.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


After months of rumors and two keynote events in May 2026, Google has finally released Android 17, the stable version. It’s rolling out to eligible Pixel devices today, including models in the Pixel 6 lineup, all the way to the latest Pixel 10 series.

The stable build contains plenty of features showcased at The Android Show and Google I/O, but if you were hoping to get your hands on Gemini Intelligence, that will ship later this summer to “select advanced devices.” With that out of the way, here’s what Android 17 offers at launch.

So what’s actually new in Android 17?

The most immediately useful addition is Bubbles, a feature that lets you access a select number of apps in the form of a floating window over another app or a circular app icon on the screen when minimized. 

You can access the feature by long-pressing an app icon and selecting the Bubble option. It’s best suited for your two or three-app workflows, letting you access them one after the other with a single tap on the screen. On foldables and tablets, bubbles dock into a dedicated bar at the bottom of the display. 

Android 17 also gets Screen Reactions, a feature that lets you record your phone’s screen along with your face (via the front-facing camera) simultaneously. It’s primarily for content creators, who can now make reaction videos without opening an editing app. 

What about gaming, security, and everything else?

On the gaming side, foldables get a new 50/50 layout with the game view up top and a dynamic gamepad below. Google has also made memory cleanup more efficient, so that gamers don’t experience frame drops and stutters while playing demanding video games. 

Security gets a meaningful upgrade with features like temporary location permissions and contact-level sharing controls (vs. sharing the entire address book). The Mark as Lost feature in the Find Hub now locks your phone via biometrics so nobody can unlock and reset it with the passcode.

Google also caps PIN guessing, with longer wait times between failed attempts. Rounding out the Android 17 update are hidden app names on the home screen, a dedicated volume slider for your AI assistant (Gemini on Pixel phones), Parental Controls expanding to all Android devices, and app memory limits for preserving system resources.  

Today is the day 👀

— Android Developers (@AndroidDev) June 16, 2026

While Pixel phones are the first to get the update, expect other OEMs to announce their Android 17-based updates in the coming weeks. Samsung, for instance, is expected to roll out One UI 9 at the second Galaxy Unpacked event of the year, rumored to take place on July 22, 2026. Other brands like OnePlus should follow soon.



Source link