Two members of the infamous Scattered Spider hacking collective have been sentenced to five and a half years in prison each for their roles in the 2024 cyberattack against Transport for London (TfL) — one of the UK's largest public infrastructure operators.
Owen Flowers, 18, and Thalha Jubair, 20, were sentenced at Woolwich Crown Court on Thursday, 16 July 2026. The pair were among the perpetrators of an attack that left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees to work entirely in-person while systems were restored.
The TfL Attack
The 2024 hack of Transport for London caused widespread disruption across the UK capital's public transit network. The attack was sophisticated in execution: Scattered Spider, known for its social engineering expertise, reportedly gained initial access by impersonating IT staff to manipulate a TfL helpdesk employee into providing credentials.
Once inside, attackers moved laterally across the network, compromising internal systems and exfiltrating data before deploying destructive payloads that knocked 148 core systems offline. The resulting outage forced TfL to operate in a degraded state for weeks, with staff unable to access digital tools and passengers facing disruptions to journey planning and payment services.
The attack is estimated to have cost TfL approximately £29 million in response, recovery, and remediation costs.
Who Are Scattered Spider?
Scattered Spider (also tracked as UNC3944, Octo Tempest, and 0ktapus) is a loosely organized, English-speaking cybercriminal group that rose to prominence through a series of high-profile attacks against major corporations including MGM Resorts, Caesars Entertainment, and Twilio.
The group is notable for:
- Social engineering mastery — members are skilled at vishing (voice phishing) and impersonating IT support staff to bypass security controls.
- Young membership — many members are teenagers and young adults, often recruited through online gaming communities and hacking forums.
- Ransomware partnerships — Scattered Spider has collaborated with ransomware-as-a-service (RaaS) operations including ALPHV/BlackCat and others to monetize access.
The sentencing of Flowers and Jubair follows a broader international law enforcement effort to dismantle the group. Several other members face charges in the United States, including a 2025 indictment of multiple co-conspirators.
Sentencing Reactions
The prosecution highlighted the severity of the attack on critical public infrastructure, noting that the disruption extended well beyond financial damage — TfL's digital services underpin daily commutes for millions of Londoners.
The relatively young ages of both defendants were noted by the court, though the judge emphasized that youth did not diminish the seriousness of deliberately targeting essential public services.
UK cybersecurity officials pointed to the sentences as a signal that attacks against critical national infrastructure — even when carried out by individuals who are technically minors — will be treated with the full weight of criminal law.
Key Takeaways for Organizations
The TfL attack is a textbook example of how social engineering remains the most effective initial access vector regardless of technical defenses in place. Key lessons:
- Verify identity out-of-band — IT helpdesk staff must verify caller identity through secondary channels before making credential changes or granting access.
- Zero-trust architecture — Limit lateral movement opportunities by segmenting systems and enforcing least-privilege access.
- Incident response readiness — Organizations should have tested runbooks for operating in a degraded-digital or fully offline mode during an extended outage.
- Monitor for social engineering indicators — Unusual helpdesk requests, particularly around password resets or MFA changes, should trigger elevated scrutiny.
The sentencing marks a significant moment for UK cybercrime prosecution, demonstrating that law enforcement can successfully identify and bring to justice members of sophisticated international hacking groups — even those operating under the relative anonymity of online personas.
This article is based on reporting from The Hacker News and court proceedings at Woolwich Crown Court, 16 July 2026.