Two Scattered Spider affiliates get 5.5 years for TfL hack
Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty under the UK Computer Misuse Act. The 2024 intrusion knocked out 148 TfL systems and cost £29 million.
Two members of the Scattered Spider cybercrime crew were sentenced to five years and six months each in a UK court on Thursday for the August 2024 intrusion at Transport for London, BleepingComputer reported. Thalha Jubair, 20, and Owen Flowers, 18, had pleaded guilty last month to charges under the UK Computer Misuse Act; both were arrested at their homes on 16 September 2024 in a joint operation by the City of London Police and the National Crime Agency.
The TfL intrusion itself is now a matter of court record rather than reconstruction. It ran from early August 2024 through the disclosure on 2 September, took 148 TfL systems offline, forced roughly 27,000 employees through in-person password resets, and knocked out Dial-a-Ride, concessionary travel cards, digital payments, contactless ticketing, and refund processing at various points. TfL disclosed on 12 September 2024 that customer names, addresses, and contact details were among the data taken. The agency has since put its own recovery cost at £29 million; the NCA has separately estimated the potential economy-wide UK loss, had the disruption run its course, at £56 billion.
What the plea actually was
Both defendants pleaded to Computer Misuse Act offences rather than to a specific fraud or extortion charge, which is worth noting because it constrains what the court was sentencing. The plea is to the unauthorised access and the impairment of the operation of a computer, not to any particular downstream monetisation. That matters when comparing the UK number to what is queued up against Jubair on the other side of the Atlantic: the same BleepingComputer report notes that the U.S. Department of Justice charged him in September 2025 with participation in 120-plus network intrusions between May 2022 and September 2025 and roughly $115 million in extortion — a much longer inventory, and a different sentencing exposure entirely, that has not yet been resolved.
Flowers, per the same reporting, was also targeting Sutter Health and SSM Health Care Corporation in the United States. Neither U.S. case sits in the same procedural posture as the TfL one that finished today, and neither has produced a plea. The five and a half years is what the UK court had jurisdiction to give for what was in front of it, not the total account.
NCA Deputy Director Paul Foster, quoted in the reporting: “These convictions would likely not have been possible had Transport for London not engaged with law enforcement early.”
The arc, one more time
This is the second Scattered Spider-adjacent piece we have written this month. On 8 July we wrote up the unsealed federal complaint against Peter Stokes, which described how a Microsoft-recorded Windows device identifier bridged a jewelry-retailer intrusion account and a set of Stokes’s personal accounts. Different jurisdiction, different defendant, different intrusion — but the same underlying pattern that has run through every published Scattered Spider affidavit and now sentencing: the operational tradecraft on the target side is very good, and the tradecraft on the operator’s own life is not.
The four additional arrests the City of London Police announced in July 2025 — linked to the Marks & Spencer, Co-op, and Harrods intrusions from earlier that year, per the same reporting — fit the same pattern. UK teenagers and young adults, arrested at home addresses, produced by conventional police work rather than any breakthrough attribution technique. Whatever the crew’s phone-work fluency and its comfort inside U.S. help-desk workflows added to the intrusion side of the ledger, none of it has been reflected in a corresponding operational discipline off the clock.
Analysis: what this does and does not settle
Analysis, not incident reporting. This section is a reading of the sentencing in the context of the broader Scattered Spider law-enforcement pipeline. It is not a claim about specific ongoing cases or defendants not yet convicted.
The TfL sentence is a real number, and five and a half years for a Computer Misuse Act plea in a case of this scale is at the upper end of what a UK court tends to hand down for offences in this bracket. What it does not resolve is the underlying operating model. Scattered Spider is not a fixed roster; the reporting to date describes it as a fluid affiliate arrangement inside a broader English-speaking eCrime ecosystem — the Com — where phone work, SIM-swap access, and help-desk pretexting circulate as capabilities rather than as membership cards. Removing individual operators changes who is available on a given day. It does not remove the capability from the ecosystem, and the July 2025 M&S/Co-op/Harrods wave — which happened after the TfL arrests and before today’s sentence — is the working demonstration of that.
For defenders, the operational read is unchanged from the last several times we have written about this crew, and worth restating: the entry vector on every one of these public cases has been social engineering against the identity provider or the internal help desk, not exploitation of a novel vulnerability. Multi-factor arrangements that rely on a human at a phone can be talked around by a person who is fluent, calm, and English-speaking, and Scattered Spider affiliates are all three. Number-matching MFA, hardware token enrolment gates, and out-of-band verification for high-risk account recovery are what has actually reduced the group’s success rate against organisations that have adopted them. None of that changes today.
What today does change is only the arithmetic on the affiliate side. Two of them are going to prison for five and a half years; the U.S. cases against a third are proceeding; the identifier trail that the 8 July piece walked through is still there, still being produced under subpoena, and still catching the next one. The system’s mental model, again, is winning. The system was always going to.
Sources
Found this useful? Share it.


