Close Menu

    Subscribe to Updates

    Get the latest creative news from infofortech

    What's Hot

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    July 16, 2026

    ChatGPT’s new search tool saves you from digging through old chats, files, and images

    July 16, 2026

    A better way to turn 2D designs into 3D models for rapid prototyping | MIT News

    July 16, 2026
    Facebook X (Twitter) Instagram
    InfoForTech
    • Home
    • Latest in Tech
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    Facebook X (Twitter) Instagram
    InfoForTech
    Home»Cybersecurity»Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
    Cybersecurity

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    InfoForTechBy InfoForTechJuly 16, 2026No Comments5 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email


    Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London.

    The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority’s employees into an office to get their passwords reset in person. Both the NCA and the CPS put TfL’s losses and recovery costs at £29 million.

    Both pleaded guilty on 22 June 2026, the day their trial was due to start. The charge was Section 3ZA of the Computer Misuse Act 1990, the Act’s most serious, and they admitted it on the basis that they were reckless as to whether they caused or created a significant risk of serious damage to human welfare.

    The CPS says Flowers and Jubair are believed to be the first hackers successfully prosecuted under Section 3ZA. The NCA counts the case as only the second prosecution of its kind. The two readings can sit together, one counting prosecutions brought under the section and the other counting those that ended in conviction, but neither agency explains the gap.

    The NCA calls it the biggest cybercrime prosecution the UK courts have seen.

    The intrusion ran from 31 August to 3 September 2024. TfL oversees an average of 9 million journeys a day. Dial-a-Ride, the booking service that gets vulnerable Londoners around the city, went down, along with the digital payments channel and the issuing of concessionary travel cards.

    Applications closed for Oyster photocards, the discounted fare cards for London’s children and young people. The extension of contactless ticketing slipped, and refunds crawled.

    TfL told customers that names and email addresses had been accessed, along with home addresses where it held them. Oyster refund data may have gone too, including bank account numbers and sort codes for around 5,000 people.

    Only the two of them knew what they meant to do with the access, the CPS says, though their chats suggested they would wipe the access on the way out. That is where the case’s biggest number comes from: the NCA says a successful shutdown of the network could have cost the UK economy up to £56 billion, and the CPS puts the same hypothetical at billions. It stayed hypothetical, the CPS says, because TfL pulled its own network down to contain them.

    Flowers was arrested at home on 6 September 2024, three days after the TfL intrusion ended, and the NCA says officers found him mid-attack on two US healthcare organisations, SSM Health Care Corporation and Sutter Health.

    Investigators seized laptops, tower computers, hard drives, and USB sticks. One laptop held a screenshot of network connectivity to TfL infrastructure, plus videos Flowers had recorded of Jubair moving through TfL systems during the attack. The pair were messaging on Telegram while it happened and sharing an online workspace.

    Prosecutors proved Flowers had been connected to the remote server used to launch all three intrusions, and his own devices linked him to all three. The information linking Jubair to TfL was uncovered overseas, obtained with help from prosecutors there.

    Flowers admitted two further counts over the healthcare attacks, a conspiracy against SSM Health, and an attempt against Sutter Health. The CPS says he threatened to lock those systems down while acknowledging in chats that it “might kill some 90-year-old on life support.” The arrest is what stopped him.

    The NCA describes both men as leading members of Scattered Spider, the extortion crew also tracked as Octo Tempest, UNC3944, and 0ktapus. The CPS is more careful, saying the defendants claimed at various points to be members of a group that prosecutors believe carried out hundreds of attacks between 2022 and 2025.

    The FBI, quoted in the NCA’s announcement, ties the group to data extortion, SIM swapping, and social engineering.

    Jubair’s other case is still open

    A complaint unsealed in New Jersey in September 2025 accuses Jubair of computer fraud, wire fraud, and money laundering conspiracies. The complaint puts the scheme at roughly 120 network intrusions and at least 47 US victims between May 2022 and September 2025, with more than $115 million paid in ransoms.

    Prosecutors also place him in intrusions at a US critical infrastructure company and the US Courts, and allege he moved about $8.4 million in cryptocurrency out of a server wallet while agents were seizing it. Those are allegations, untested in court. The maximum across all counts is 95 years. Neither the DOJ’s announcement nor Thursday’s UK releases address extradition.

    Is Scattered Spider finished?

    The NCA says its action against the two men effectively halted the group, and cites Microsoft’s assessment that the arrests materially degraded the group’s ability to operate. In the same breath, it grants that other criminals may keep using the brand.

    Scattered Spider is not the only brand with life left in it. In January, Mandiant tracked an expansion of ShinyHunters-branded extortion running the same kind of social engineering: vishing calls to employees, victim-branded credential harvesting pages to capture SSO logins and MFA codes, then the attacker’s own device enrolled for MFA.

    Neither the NCA’s nor the CPS’s written releases set out how Flowers and Jubair first got into TfL. Google’s hardening guidance from the same research puts the fix in one place: verify identity on password resets, device enrollment, and MFA changes, the manual workflows these crews call in and talk their way through.

    Paul Foster, who heads the NCA’s National Cyber Crime Unit, wants one thing from everyone else: call law enforcement early. He says these convictions probably would not have happened if TfL had not.

    City of London Police used the sentencing to lobby for a power it does not have. Cyber Crime Risk Orders would let a court restrict an individual’s devices, online services and technologies in proportion to the risk they pose.

    Commander Ollie Shaw pitched them as a “digital prison” for offenders. So the toolkit is what it was: a prison term, this time handed to two people who were 17 and 18 when they did it.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    InfoForTech
    • Website

    Related Posts

    TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

    July 16, 2026

    Firefox, Chrome, Adobe, and VMware Updates Fix Multiple Critical Security Flaws

    July 15, 2026

    Troy Hunt: Weekly Update 512: IoT Lockout Fail

    July 15, 2026

    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

    July 15, 2026

    U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

    July 14, 2026

    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

    July 13, 2026
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views

    This is the tech that makes Volvo’s latest EV a major step forward

    January 24, 202616 Views
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Advertisement
    About Us
    About Us

    Our mission is to deliver clear, reliable, and up-to-date information about the technologies shaping the modern world. We focus on breaking down complex topics into easy-to-understand insights for professionals, enthusiasts, and everyday readers alike.

    We're accepting new partnerships right now.

    Facebook X (Twitter) YouTube
    Most Popular

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views
    Categories
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    • Latest in Tech
    © 2026 All Rights Reserved InfoForTech.
    • Home
    • About Us
    • Contact Us
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.