Two British cybercriminals from the Scattered Spider hacking group have pleaded guilty to a cyber-attack on Transport for London in 2024 that cost £39m and affected 10 million people.
Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to offences under the Computer Misuse Act at Woolwich crown court on Monday.
The National Crime Agency (NCA) said the duo were part of an online hacking community known as Scattered Spider, suspected of carrying out several attacks in recent years. TfL, the London mayor’s transport authority, handles up to 5m passenger journeys a day on the underground alone.
TfL said it had emailed more than 7 million customers in September 2024 “to inform them about the incident” and tell them that “some customer data may have been taken”. The BBC reported that 10 million TfL customers had their data stolen.
The attack, which took place between 29 August and 3 September 2024, prevented live tube arrival information from appearing on the TfL Go app and the TfL website, while TfL was also unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts. The incident cost TfL £39m.
Jubair, of Bow in east London, and Flowers, of Walsall in the West Midlands, both admitted conspiring to commit unauthorised acts against computer systems belonging to TfL, causing risk of serious damage to human welfare.
Flowers also admitted hacking two US healthcare companies. He admitted conspiring to commit unauthorised acts against computer systems belonging to SSM Health Care Corporation and attempting to commit unauthorised acts against computer systems belonging to Sutter Health, on or about 6 September 2024.
The pair entered their guilty pleas on the first day of what was due to be a six-week trial. Mr Justice Turner remanded Jubair – wearing glasses in a grey suit, shirt and tie – and Flowers – wearing glasses in a blue sweater and grey tracksuit bottoms – in custody before a two-day sentencing hearing on 15 July.
Jubair has also been accused by the US Department of Justice of involvement in a series of cyber-attacks that targeted 47 US organisations and garnered more than $100m (£75m) in ransom payments.
Flowers denied two further hacking charges and they were ordered to lie on file.
Paul Foster, the head of the NCA’s national cyber crime unit, said the TfL incident underlined the growing threat from homegrown and English-speaking hackers. Typically, hacks on high-profile public and private organisations have been carried out by Russian speaking hackers or assailants based in the former Soviet Union.
“The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cybercriminals based in the UK and other English-speaking countries, epitomised by Scattered Spider,” he said.
The NCA said Flowers and Jubair were both “members of the online criminal collective known as Scattered Spider”, a moniker assigned by cybersecurity analysts.
The NCA said the hackers had accessed TfL’s refunds system, leaving some customers out of pocket for much longer than usual. The attack also shut the application system for Oyster photocards for children and young people.
Foster added that the damage showed cybercrime has “real-world consequences and impacts hugely on the public” despite appearing to be “faceless and distant” compared with other crimes.
Investigators found a number of devices at Flowers’ West Midlands home including laptops, hard drives and USB sticks. One laptop contained a screen shot showing network connectivity to TfL infrastructure.
The laptop also contained videos recorded by Flowers showing Jubair accessing TfL systems during the attack. The pair were using the Telegram messaging platform to communicate with each other and also communicated through an online tool where multiple participants can work together remotely.
A previous hearing was told that $10m was moved from Jubair’s crypto wallets after he was released from custody in March last year and $200m worth of crypto had also moved through accounts belonging to him. An earlier hearing was also told Flowers held $7.1m including crypto in accounts he controlled, despite having no source of income.
Both defendants have been diagnosed with autism and Jubair has depression and a severe mood disorder.
Jubair has been convicted of 22 offences, including 13 counts of fraud, two of unauthorised access to a computer, one count of obtaining access to a computer and one count of blackmail.
He was subject to a youth rehabilitation order at the time of the TfL offences, which came from his hacking of BT and EE as well as the computer chip company Nvidia, which he was convicted for at 17.
Jubair also had a Bangladeshi passport, which he had not declared to the police and which they found hidden down the back of the sofa at his home.
