Two younger hackers, reportedly the members of the Scattered Spider hacking group, pleaded responsible underneath the Laptop Misuse Act for his or her involvement in a £39 million cyberattack on Transport for London (TfL). Particularly, they admitted to conspiring to commit unauthorised acts towards TfL’s pc methods, a cost carrying a extreme warning that the assault created a severe danger of harm to human welfare.
The hackers, Thalha Jubair, 20, and Owen Flowers, 18, had been to face trial at Woolwich Crown Court docket on 22 June, however they modified their pleas to responsible on the very first day of their trial.
“The profile of offenders like Flowers and Jubair demonstrates the growing risk from cyber criminals based mostly within the UK and different English-speaking nations, epitomised by Scattered Spider,” NCA’s deputy director and NCA’s Nationwide Cyber Crime Unit, Paul Foster, acknowledged in an official press launch.
Jubair and Flowers are accused of a cyberattack on TFL between 31 August and three September 2024 that fully shook the capital’s transport community, inflicting a 3-month-long service disruption, even forcing all 28,000 TfL employees members to bodily stroll into an workplace simply to reset their pc passwords.
The assault hit on a regular basis passengers tougher as a result of the hackers additionally focused the Oyster card refund system. This compelled folks to attend for much longer to get their a reimbursement. Additionally, the hackers fully shut down the web software system for youngsters’s low cost Oyster playing cards. The British Transport Police and West Midlands officers collaborated to arrest the hackers after a “prolonged, extremely complicated and painstaking investigation,” the NCA’s official assertion learn.
As per Hackread.com’s previous protection of the incident in September 2024, whereas core prepare and bus companies remained working, the hackers did entry the non-public particulars, names, and financial institution info of 10 million clients.
Raids and Worldwide Targets
The Nationwide Crime Company (NCA) and Metropolis of London Police raided the hackers’ houses on 16 September 2024, seizing tower computer systems, laptops, USB sticks, and onerous drives containing essential proof linking the duo to the assault.
One laptop computer had video clips of Jubair truly utilizing TfL methods whereas the 2 mentioned the assault on Telegram and a shared on-line workspace. Flowers additionally checked out information, promoting stolen login particulars on-line, and broke his bail guidelines twice in 2025. He even focused US hospitals, breaking into networks belonging to SSM Well being Care and Sutter Well being.
Youngsters and On-line Crime
This case highlights the constant, disturbing rise within the youth’s involvement in such crimes, as they don’t perceive the authorized risks of cyberattacks. NCA earlier reported that one in 5 UK kids between 10 and 16 have damaged the regulation on-line and engaged in hacking.
“A current survey of youngsters aged 10-16 confirmed that 20% interact in behaviours that violate the Laptop Misuse Act, which criminalises unauthorised entry to pc methods and information. The determine is larger for individuals who sport, standing at 25%,” NCA reported in 2024.
The case towards Jubair and Flowers truly reveals what occurs when authorities catch these younger hackers, and it should be taken for instance. Now that they’ve pleaded responsible, each will stay in custody. They are going to face the authorized penalties collectively throughout a two-day sentencing listening to scheduled for 15 and 16 July 2026.
