The teenage hackers had London’s transport network at their mercy. Thalha Jubair and Owen Flowers had burrowed into the heart of Transport for London’s IT systems and held the “keys to the kingdom”.TfL said the attack, which occurred between 31 August and 3 September 2024, could have caused “catastrophic damage” to its technology systems and could have led to “significant and extended transport service degradation and disruption”.In the end, the duo were only stopped when TfL in effect “pulled the plug” on its systems.They pleaded guilty in June, and on Thursday Jubair was sentenced to five and a half years for the attack, and Flowers to five and a half years for the TfL crime as well as for hacking two US healthcare providers.Thalha Jubair, left, and Owen Flowers had accrued millions of dollars in cryptocurrency through their hacking activities. Composite: PA/National Crime AgencyAt one point, according to prosecutors in the case, Jubair and Flowers “could have shut out and shut down TfL completely” having hacked their way to the “highest privileged access” in the system and creating a “domain admin” account described in court as “the keys to the kingdom”. They even searched through TfL’s customer database for celebrities.The data of millions of commuters was stolen, Londoners were left out of pocket and 27,000 TfL staff were forced to reset their passwords. While the main tube and bus networks were not directly affected, the dial-a-ride service for disabled passengers was unable to process bookings for a period. The head of TfL, Andy Lord – a veteran of British Airways – said the attack was the worst incident he had faced in his career.Owen Flowers and Thalha Jubair arrested for hacking into TfL systems in 2024 – videoThe two hackers had led apparently closeted, online lives which nonetheless had a disproportionate impact on the outside world.Jubair, 20, lived with his parents in a council flat in Bow, east London, and Flowers, 19, lived with his grandmother and uncle in a three-bedroom property in Walsall, in the West Midlands. They had communicated with each other throughout the hack using the Telegram messaging service, and Flowers recorded a livestream of the attack that Jubair broadcast while he carried out the multi-day crime.Both were key figures within a loose collective of English-speaking hackers known as Scattered Spider, which is suspected of numerous hacks in recent years. The pair’s activities had made them wealthy, accruing millions of dollars in cryptocurrency.The Scattered Spider name was conferred on these hackers by cybersecurity researchers who create monikers for the groups they monitor. Jubair and Flowers embraced it, exchanging messages citing Scattered Spider during the attack. Flowers warned his counterpart that his “scattered spider lvl 5 pass will be revoked” as he appeared to complain about Jubair’s slow progress. In a later group chat Jubair wrote: “SCATTERED SPIDER IS CREATING WEBS ON THE UNDERGRND.”Flowers was known to have spent most of his time in his bedroom playing video games – a typical pathway for hackers – and using chat forums. Jubair also started out in the gaming world and would disrupt other players by stealing their usernames, before he moved into criminal activity.Jubair, whose father is a care worker and whose mother had given up her job to act as a full-time carer for her son, was a hacker from a young age. He went to school locally, passed a number of GCSEs and had attempted to enrol at colleges. But he had always been interested in computing and gaming.A two-day sentencing hearing at Woolwich crown court this week heard that Jubair was shown how to use a smartphone at the age of four, had a laptop and was gaming from the age of six or seven, was writing his own computer programs by the age of 10, and at 13 was introduced to hacking by older hackers.Before the TfL conviction, Jubair had been convicted of 22 offences as a teenager, including 13 counts of fraud, two of unauthorised access to a computer, one of obtaining access to a computer, and one of blackmail. He had also been convicted in a youth court of stalking two young women and hacking into a City of London police server. Jubair was 18 when he carried out the TfL hack.skip past newsletter promotionafter newsletter promotionBoth defendants have been diagnosed with autism, and Jubair has depression and a severe mood disorder. Woolwich crown court heard that Jubair had tried to kill himself and that from a young age he was “isolated and bullied at school”. On behalf of Flowers, who was 17 when he carried out the hack, Adam Davis KC described his client as an “immature child trying to show off online”, who had been through an “unsettled childhood” that included contact with children’s services a year after he was born. Davis said Flowers had experienced “significant” isolation throughout his childhood and struggled with social relationships.Flowers, too, had been active before the TfL cyber-attack. He was previously known to police and came into contact with them after turning 16. He had been subject to a cease-and-desist notice issued by West Midlands police in October 2023. Flowers was offered training to guide him away from cybercrime, which he turned down, and was given advice over computer misuse offences.The TfL hack was not a “ransomware” attack, whereby IT systems are encrypted and data is stolen, allowing hackers to demand a ransom in cryptocurrency for decryption and return of the data.Nonetheless, Jubair and Flowers have come into contact with vast sums of money. A previous hearing was told that $10m (£7.5m) was moved from Jubair’s crypto wallets after he was released from custody in March last year and $200m vworth of crypto had also moved through accounts belonging to him. An earlier hearing was also told that Flowers held $7.1m, including crypto, in accounts he controlled, despite having no source of income.Neither appeared to have a lavish lifestyle. Flowers’s crypto account had been used to pay for food deliveries, while US authorities were able to trace Jubair because he paid for food deliveries using gift cards bought with crypto from an account that allegedly stored ransomware payments. Experts point to evidence that Scattered Spider attacks are often driven more by a desire for bragging rights and notoriety than financial gain.The court heard that the TfL attack prevented live tube arrival information from appearing on the TfL Go app and the TfL website, while TfL was also unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts. The attack cost TfL £39m, comprised of £29m in damage caused to IT systems and £10m in loss of income. The data of about 7 million people was also stolen.The court heard that Jubair and Flowers got into TfL’s systems via an unnamed co-conspirator who called the TfL help desk and pretended to be an employee struggling to access the network remotely. A call handler was tricked into resetting the authentication process to a device in control of Jubair and Flowers, who then set about escalating their access. Paul Foster, the head of the National Crime Agency’s national cyber crime unit, said the convictions had severely affected the Scattered Spider group. “Their activities and their impact have now been severely degraded as a result of this action.”At one point during the attack, Flowers unwittingly foretold the consequences of their actions. Messaging Jubair, he said: “u won’t be laughing when ur sat in prison.”
‘Keys to the kingdom’: hackers who gained access to heart of London transport network jailed
Thalha Jubair, 20, and Owen Flowers, 19, sentenced to five and a half years each for cyber-attack that cost Transport for London £39m











