London authorities announced Thursday that the imprisonment of two young men has delivered a serious blow to one of the most persistent cybercrime operations targeting British organizations and global corporations alike. Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, each received sentences of five years and six months after they pleaded guilty to a 2024 breach of Transport for London systems. The attack forced the public transit operator to take key services offline for weeks. It stole data on millions of customers. And it cost the agency £29 million.
But the real story runs deeper. These weren’t isolated actors. They formed key parts of Scattered Spider. That loose collective of mostly English-speaking hackers has racked up dozens of high-profile intrusions over recent years. From casino operator MGM to airline WestJet to security firm Okta, the group specialized in social engineering tricks that bypassed technical defenses. They impersonated help desk staff. They tricked employees into handing over credentials. Success came fast. And the notoriety followed.
Detective work by the National Crime Agency and City of London Police connected the dots. TechCrunch reported that officials described the jailing as having “severely” hampered Scattered Spider’s activities. Paul Foster, head of the NCA’s National Cyber Crime Unit, put it bluntly. “Scattered Spider has been the most significant cybercrime threat to the U.K. in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice.”
The TfL breach unfolded on a Saturday evening in late August 2024. Flowers and Jubair, then 17 and 18, spent 16 hours live-streaming their intrusion online. They boasted in group chats. One message from Flowers joked that “Scattered Spider is creating webs on the London Underground.” They accessed the Oyster card database. Searched for celebrity records. Even probed for banking details. The incursion rendered 148 systems inoperable. Employees reset passwords in person. Dial-a-Ride services for vulnerable residents suffered heavy disruption.
Yet the pair’s histories stretched back further. Jubair first received a laptop at age 10. By 13 he coded. At 14 police arrested him. He accumulated 22 prior convictions for hacking, fraud and harassment. In 2023 a court issued him a youth rehabilitation order for activity tied to Lapsus$, the extortion-focused crew that once hit Nvidia, Samsung and Uber. The BBC detailed how that earlier spree led to convictions of other teenagers, including one deemed unfit for trial but still found to have participated.
Flowers showed similar patterns. A cease-and-desist order landed in 2023 after minor offenses. Investigators later caught him hacking U.S. healthcare providers while the TfL case developed. Messages revealed dark humor about potential patient harm. Police seized roughly £1 million in cryptocurrency from the pair. Still, authorities believe fame within online circles drove them more than pure profit.
Both young men lived as loners. Autism diagnoses applied to each. They spent most hours unsupervised before screens. Defense lawyers for Jubair argued older criminals groomed him. The claim didn’t sway the sentence. In prison, contraband phones let them continue plotting. Messages recovered showed ongoing talk of fresh attacks.
Analysts see broader signals here. Scattered Spider operates as a loose network rather than a rigid hierarchy. Members come and go. The group rebrands when pressure mounts. Yet its tactics persist. Social engineering remains tough to block completely. Companies train staff. They add verification steps. Hackers adapt. They target help desks with confidence tricks that exploit human weaknesses.
The NCA has warned repeatedly. The rise of young hackers counts among the United Kingdom’s top cyber threats. Arrests linked to Scattered Spider have occurred in Britain, the United States and Finland. U.S. prosecutors charged Jubair in connection with more than 120 incidents. Some generated $115 million in ransom payments across 47 victims.
And the TfL case stands out for its visibility. The agency learned of the breach from the NCA. IT teams acted fast. They logged out all staff. They disconnected systems from the internet. That move prevented total shutdown. Still, the financial toll mounted. Initial estimates reached £39 million before revision downward. Customer inconvenience stretched on. Real-time train information vanished for days.
Security researcher Allison Nixon offered a stark assessment after the sentencing. Policymakers must treat this phenomenon as a violent youth gang issue. The culture celebrates societal damage and maximum harm to victims. Her words echo concerns raised in earlier Lapsus$ cases. There, teenagers from Oxford and elsewhere gained access to Rockstar Games and leaked footage from the next Grand Theft Auto title. One key figure, Arion Kurtaj, exited a secure hospital this month ahead of a November retrial, according to recent social media reports tracked on X.
But today’s outcome focuses on Scattered Spider. Foster emphasized collective responsibility. “The online world can expose young people to harmful influences and criminal communities far beyond their front door. Parents, carers, educators, technology companies and law enforcement, the whole of society, we all have a role to play in helping to keep young people safe online.”
Investigators continue to pursue other members. The group has ties to additional retail breaches at Marks & Spencer, Co-op and Harrods. Those incidents prompted four more arrests in 2025. Cybersecurity Dive covered how that operation involved suspects as young as 17.
So what comes next? Law enforcement agencies share intelligence across borders. Tech firms tighten identity checks. Yet the pipeline of tech-savvy teenagers drawn to these circles shows no immediate sign of drying up. The sentences handed down at Woolwich Crown Court may deter some. They won’t stop all. Scattered Spider, or whatever name it adopts tomorrow, adapted before. It will test defenses again.
The TfL episode revealed how much damage a determined pair can inflict. Deep system access gave them “the keys to the kingdom,” one report noted. They could have paralyzed London’s transport network entirely. Only rapid response limited the scope. Organizations everywhere should take notice. Technical controls matter. So does vigilance against the human element that young hackers exploit with growing skill.


WebProNews is an iEntry Publication