Teen Hackers Charged Over Scattered Spider Attack on TfL
Two men, Owen Flowers and Thalha Jubair, appeared before Westminster Magistrate's Court today in connection with a 2024 cyber attack on Transport for London (TfL). The National Crime Agency (NCA) and City of London Police arrested the duo on September 16, 2025.
Flowers, 18, from Walsall in the West Midlands, was initially questioned about the TfL incident in September 2024. However, due to his minor status at the time, his identity could not be officially revealed.
The cyber attack, attributed to the Scattered Spider hacking collective, caused significant disruption to some technical services, including third-party application programming interfaces used by Citymapper and logins for contactless and Oyster payment accounts. The incident has cost TfL over £30m, with at least £5m spent on response, investigation, and remediation.
"This attack caused significant disruption and millions in losses to TfL, part of the UK's critical national infrastructure," said Paul Foster, NCA deputy director and head of the National Cyber Crime Unit. "Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example."
Foster praised TfL for working transparently with the investigation and highlighted that the arrests demonstrated what law enforcement can achieve when victims are empowered to come forward and report incidents. He also credited international partners, including the FBI, for their collective efforts in identifying offenders within these networks and ensuring they face justice.
Charges Revealed
The Crown Prosecution Service (CPS) has decided to prosecute Thalha Jubair and Owen Flowers with computer misuse and fraud-related charges. Hannah von Dadelszen, chief crown prosecutor for the CPS, stated: "Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings."
Flowers faces three counts of conspiracy to commit an unauthorised act in relation to a computer causing and/or creating risk of serious damage to human welfare and/or national security under the Computer Misuse Act (CMA) of 1990. One count relates to the TfL incident, while the other two relate to offences against two targets in the US, SSM Health Care Corporation and Sutter Health.
Jubair, aged 19, from Tower Hamlets in London, is charged with conspiracy to commit an unauthorised act in relation to a computer causing and/or creating risk of serious damage to human welfare and/or national security, but only in relation to the TfL attack. He also faces an additional charge of failure to comply with a Section 49 notice issued under the Regulation of Investigatory Powers Act (RIPA) of 2000.
Investigation Timeline
The arrests come two months after four unnamed individuals were arrested in connection with Scattered Spider attacks on UK retailers. The NCA has confirmed that both Flowers and Jubair are involved in the Scattered Spider cyber crime collective, although they urged against speculation on any link to the group's other activities at this stage.
Computer Weekly understands that Flowers and Jubair have been on the radar of law enforcement for some time, and both men have been publicly identified and linked to various other Scattered Spider and Lapsus$ cyber attacks in the past.
Background on Scattered Spider
The Scattered Spider hacking collective has been responsible for several high-profile cyber attacks in recent months. The group has been linked to breaches of various organizations, including retailers and healthcare providers.
The NCA has warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, with Scattered Spider being a clear example. Law enforcement agencies are working tirelessly to identify offenders within these networks and ensure they face justice.