Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1921+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
NEWS

Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court for their roles in the 2024 cyberattack on Transport for London that downed 148 systems and disrupted 27,000 employees.

Dylan H.

News Desk

July 16, 2026
4 min read

Two members of the infamous Scattered Spider hacking collective have been sentenced to five and a half years in prison each for their roles in the 2024 cyberattack against Transport for London (TfL) — one of the UK's largest public infrastructure operators.

Owen Flowers, 18, and Thalha Jubair, 20, were sentenced at Woolwich Crown Court on Thursday, 16 July 2026. The pair were among the perpetrators of an attack that left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees to work entirely in-person while systems were restored.


The TfL Attack

The 2024 hack of Transport for London caused widespread disruption across the UK capital's public transit network. The attack was sophisticated in execution: Scattered Spider, known for its social engineering expertise, reportedly gained initial access by impersonating IT staff to manipulate a TfL helpdesk employee into providing credentials.

Once inside, attackers moved laterally across the network, compromising internal systems and exfiltrating data before deploying destructive payloads that knocked 148 core systems offline. The resulting outage forced TfL to operate in a degraded state for weeks, with staff unable to access digital tools and passengers facing disruptions to journey planning and payment services.

The attack is estimated to have cost TfL approximately £29 million in response, recovery, and remediation costs.


Who Are Scattered Spider?

Scattered Spider (also tracked as UNC3944, Octo Tempest, and 0ktapus) is a loosely organized, English-speaking cybercriminal group that rose to prominence through a series of high-profile attacks against major corporations including MGM Resorts, Caesars Entertainment, and Twilio.

The group is notable for:

  • Social engineering mastery — members are skilled at vishing (voice phishing) and impersonating IT support staff to bypass security controls.
  • Young membership — many members are teenagers and young adults, often recruited through online gaming communities and hacking forums.
  • Ransomware partnerships — Scattered Spider has collaborated with ransomware-as-a-service (RaaS) operations including ALPHV/BlackCat and others to monetize access.

The sentencing of Flowers and Jubair follows a broader international law enforcement effort to dismantle the group. Several other members face charges in the United States, including a 2025 indictment of multiple co-conspirators.


Sentencing Reactions

The prosecution highlighted the severity of the attack on critical public infrastructure, noting that the disruption extended well beyond financial damage — TfL's digital services underpin daily commutes for millions of Londoners.

The relatively young ages of both defendants were noted by the court, though the judge emphasized that youth did not diminish the seriousness of deliberately targeting essential public services.

UK cybersecurity officials pointed to the sentences as a signal that attacks against critical national infrastructure — even when carried out by individuals who are technically minors — will be treated with the full weight of criminal law.


Key Takeaways for Organizations

The TfL attack is a textbook example of how social engineering remains the most effective initial access vector regardless of technical defenses in place. Key lessons:

  1. Verify identity out-of-band — IT helpdesk staff must verify caller identity through secondary channels before making credential changes or granting access.
  2. Zero-trust architecture — Limit lateral movement opportunities by segmenting systems and enforcing least-privilege access.
  3. Incident response readiness — Organizations should have tested runbooks for operating in a degraded-digital or fully offline mode during an extended outage.
  4. Monitor for social engineering indicators — Unusual helpdesk requests, particularly around password resets or MFA changes, should trigger elevated scrutiny.

The sentencing marks a significant moment for UK cybercrime prosecution, demonstrating that law enforcement can successfully identify and bring to justice members of sophisticated international hacking groups — even those operating under the relative anonymity of online personas.


This article is based on reporting from The Hacker News and court proceedings at Woolwich Crown Court, 16 July 2026.

#Scattered Spider#Transport for London#Cybercrime#Sentencing#UK#Ransomware#Social Engineering

Related Articles

Alleged Scattered Spider Hacker Peter Stokes Extradited to the United States

Peter Stokes, 19, a dual US-Estonian citizen known online as 'Bouquet,' has been extradited from Finland to face federal charges for his alleged role in...

3 min read

Ransomware Thugs Masquerade as Interpol to Entice Small Biz

A ransomware campaign is impersonating Interpol to pressure small and medium-sized businesses into paying extortion demands, using law enforcement...

4 min read

Ransomware Actors Show Up In Person to Steal Law Firm Data

FBI warns the Silent Ransom Group is targeting law firms by physically arriving on-site and social-engineering access to sensitive client databases.

5 min read
Back to all News