Two British teenagers accused of orchestrating a damaging cyberattack on Transport for London (TfL) last year have been formally charged, shining a harsh spotlight on the growing threat posed by young hackers and the international reach of cybercrime groups like Scattered Spider. The National Crime Agency (NCA) confirmed that Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, were arrested at their homes on 16 September 2025. Both appeared at Westminster Magistrates’ Court just days later, facing an array of charges under the Computer Misuse Act and related legislation.
The hack, which began on 31 August 2024, didn’t bring London’s iconic Underground to a standstill, but it did wreak havoc on TfL’s digital infrastructure. For three months, customers struggled to access Oyster and contactless payment accounts, while third-party transit apps—like Citymapper—relying on TfL’s APIs were knocked offline. Even the information boards that millions of commuters depend on went dark. According to TfL, the attack has cost the agency £39 million so far, with at least £5 million spent on response, investigation, and remediation efforts, as reported by BBC News and Computer Weekly.
But the financial toll is just part of the story. Around 5,000 Oyster users were notified that their personal information—including bank account numbers, sort codes, names, emails, and home addresses—may have been accessed by the attackers. TfL’s 25,000 staff members were forced to verify their identities in person at offices across the city as part of a sweeping recovery operation, highlighting the scale of the disruption. As TfL put it in a statement: “We welcome this announcement by the National Crime Agency that two people have now been charged in relation to the cyber incident which impacted our operations last year.”
The NCA, working with City of London Police and international partners including the FBI, described the investigation as both “lengthy and complex.” Paul Foster, deputy director and head of the NCA’s National Cyber Crime Unit, stated, “This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.” He added, “Today’s charges are a key step in what has been a lengthy and complex investigation.”
The charges against the two young men are significant. Both face accusations of conspiring to commit unauthorized acts against TfL that created a risk of serious damage to human welfare or national security—offenses that carry a maximum sentence of life imprisonment in the UK. Prosecutors are seeking to have both remanded in custody until trial, and the pair have been ordered to appear at Southwark Crown Court on 16 October 2025 for further proceedings, according to Computer Weekly and BBC News.
The legal net around the suspects extends far beyond London. Flowers, initially arrested over the TfL attack in September 2024 and released on bail, now faces two additional counts related to cyberattacks on U.S. healthcare companies SSM Health Care Corporation and Sutter Health. After his latest arrest, NCA officers discovered evidence linking him to these high-profile breaches. Meanwhile, Jubair faces an extra charge for refusing to provide investigators with PINs or passwords for devices seized during the investigation, a violation of the Regulation of Investigatory Powers Act. The U.S. Department of Justice has also unsealed a complaint against Jubair, accusing him of computer crimes linked to more than 120 network breaches and extortion schemes targeting 47 U.S. organizations, with victims reportedly paying at least $115 million in ransom.
The Crown Prosecution Service (CPS) has emphasized the strength of the case. Hannah von Dadelszen, the CPS’s chief prosecutor, said, “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.” She added, “We have worked closely with the National Crime Agency as they carried out their investigation.”
Scattered Spider, the group at the heart of this case, has become infamous for its sophisticated social engineering attacks. Security analysts believe the group is largely composed of young hackers who collaborate loosely online, sometimes overlapping with other cybercriminal collectives like ShinyHunters and Lapsus$. Their tactics often involve phishing and voice calls targeting corporate IT staff—a strategy that has proven alarmingly effective against both public and private sector organizations across the UK, the U.S., and beyond.
The TfL incident is just one in a string of high-profile cyberattacks attributed to Scattered Spider and its affiliates. In recent months, major UK retailers such as Marks & Spencer, the Co-op, and Harrods have suffered crippling digital assaults, forcing them to take entire systems offline and, in some cases, shut down online sales. The National Cyber Security Centre has been called in to assist, and the NCA has made several arrests, though details remain limited due to ongoing legal proceedings.
As Computer Weekly details, the broader context is troubling: the NCA’s February 2024 findings revealed that one in five children aged 10 to 16 in the UK have engaged in online activities that violate the Computer Misuse Act. This statistic underscores the challenge facing law enforcement and policymakers as cybercrime becomes ever more accessible—and attractive—to tech-savvy youth. Paul Foster has warned of a rising threat from English-speaking cybercriminal groups, and the NCA is busier than ever, investigating not just the TfL hack but also attacks on the Legal Aid Agency, the National Health Service, and a slew of major retailers.
Despite the sophistication of these attacks, the response from authorities has been robust. Foster praised TfL for its transparency and cooperation with investigators, noting that the arrests demonstrate what can be achieved when victims come forward and report incidents. The NCA, UK policing, and international partners like the FBI are “collectively committed to identifying offenders within these networks and ensuring they face justice,” Foster said.
For now, the legal process continues. Both Jubair and Flowers remain in custody as they await their next court appearance, and the full extent of their alleged involvement in Scattered Spider’s campaigns will be determined at trial. The case has already sent ripples through the cybersecurity community and the wider public, serving as a stark reminder of the vulnerabilities in even the most critical infrastructure—and the determination of law enforcement to hold perpetrators accountable, regardless of age or international borders.
As the dust settles from the TfL attack and similar incidents, one thing is clear: the battle against cybercrime is far from over, and its frontlines are closer to home than many might think.
