UK Arrests 'Scattered Spider' Teens Linked to Transport for London Hack
In a significant development, two teenagers believed to be linked to the August 2024 cyberattack on Transport for London (TfL) have been arrested in the United Kingdom. The suspects, identified as Owen Flowers from Walsall and Thalha Jubair from East London, are scheduled to appear at Westminster Magistrates Court today.
Flowers, an 18-year-old, was previously arrested for his alleged involvement in the TfL attack in September 2024 but was released on bail after being questioned by officers of the UK National Crime Agency (NCA). However, NCA investigators have since found additional evidence potentially linking Flowers to attacks against U.S. healthcare companies.
The two suspects are being prosecuted for computer misuse and fraud-related charges linked to an investigation into the breach of London's public transportation agency. Additionally, Flowers faces charges for conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States.
A Threat from Cyber Criminals
"This attack caused significant disruption and millions in losses to TfL, part of the UK's critical national infrastructure," said Deputy Director Paul Foster, the head of the NCA's National Cyber Crime Unit. "Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example."
The U.S. Department of Justice has also charged Thalha Jubair today with conspiracies to commit computer fraud, money laundering, and wire fraud, in relation to at least 120 network breaches and extortion attacks worldwide between May 2022 and September 2025, which affected at least 47 U.S. organizations.
A Complex Web of Attacks
The complaint filed in the District of New Jersey and unsealed today alleges that victims have paid Jubair and his accomplices at least $115,000,000 in ransom payments. The attack on TfL did not affect London's transportation services but disrupted internal systems and online services, as well as TfL's ability to process refunds.
However, subsequent updates revealed that customer data, including names, contact details, and addresses, had actually been compromised during the incident. This is particularly concerning given that TfL provides transportation services to over 8.4 million Londoners through its surface, underground, and Crossrail transport systems, jointly managed with the UK's Department for Transport.
A Pattern of Cyber Attacks
In May 2023, TfL was the victim of another security breach after the Clop ransomware gang stole data belonging to over 13,000 customers from one of its suppliers' MOVEit Managed File Transfer (MFT) servers. The NCA arrested four other suspected members of the Scattered Spider cybercrime collective in July, believed to be involved in cyberattacks targeting major retailers in the country, including Marks & Spencer, Harrods, and Co-op.
These arrests are a reminder that cyber attacks can have far-reaching consequences for individuals, businesses, and organizations. As the threat landscape continues to evolve, it is essential for individuals and organizations to remain vigilant and take proactive steps to protect themselves against such threats.