Two teenagers have been charged in connection with a major cyber attack on Transport for London (TfL), an incident that sent shockwaves through the UK’s critical infrastructure and highlighted the growing threat posed by young cyber-criminals. The attack, which took place on August 31, 2024, is believed by investigators to have been orchestrated by the notorious cyber-criminal group Scattered Spider, a collective implicated in a string of high-profile hacks across the UK and beyond.
Thalha Jubair, 19, from east London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested at their respective home addresses on Tuesday, September 16, 2025. The operation was a coordinated effort involving the National Crime Agency (NCA), City of London Police, and support from the West Midlands Regional Organised Crime Unit and British Transport Police, according to Sky News and The Independent.
Both young men appeared at Westminster Magistrates Court on Thursday, September 18, 2025, charged with conspiring together to commit unauthorized acts against TfL under the Computer Misuse Act. The charges follow what Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, described as “a lengthy and complex investigation.” The two have been remanded in custody and are set to appear at Southwark Crown Court at a later date.
“Today’s charges are a key step in what has been a lengthy and complex investigation,” Foster said. “This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.” According to BBC and The Independent, the hack forced TfL to shut down several of its operations, including traffic cameras and ‘dial-a-ride’ bookings, and disrupted payment processing. The fallout lasted for three months, causing headaches for both staff and London commuters.
The incident was not just a technical nuisance — it had real financial and personal consequences. TfL wrote to around 5,000 customers warning of potential unauthorized access to sensitive personal information, including bank account numbers, sort codes, names, emails, and home addresses. The breach even exposed Oyster card refund data, as reported by The Independent. While the attack did not cause broader disruption to London’s transport network, the financial toll was severe, costing TfL millions of pounds in losses and recovery efforts.
The court heard that at the time of the TfL hack, Owen Flowers was already on bail for multiple ransomware attacks. After his latest arrest, detectives uncovered evidence linking him to additional cyber offenses targeting U.S. healthcare companies. Flowers now faces charges of conspiring, with others, to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health. These charges underscore the cross-border nature of cyber-crime and the reach of groups like Scattered Spider.
Thalha Jubair, meanwhile, has been hit with an additional charge under the Regulation of Investigatory Powers Act (RIPA) for failing to disclose the PIN or passwords for devices seized from him. This reflects the increasing use of legal powers by UK authorities to compel suspects to unlock digital evidence — a crucial step in prosecuting sophisticated cyber offenses.
The NCA believes that Scattered Spider, the group behind the TfL attack, is also responsible for a series of devastating cyber assaults on major UK retailers in 2025, including Marks & Spencer (M&S), Co-op, and Harrods. According to Sky News and Infosecurity Magazine, the M&S hack alone caused months of disruption and is expected to cost the retailer up to £300 million this year. The same group is suspected of targeting Jaguar Land Rover and other high-profile companies, demonstrating a pattern of aggressive, high-value attacks.
Scattered Spider is notorious for its use of social engineering tactics, often leveraging the native English skills of its young members to dupe unsuspecting victims. The group’s prominence reflects a worrying trend in the UK: the average age of a cyber-criminal is just 17, with many drawn into illegal activity through online forums, video games, and the lure of quick financial gain. The Information Commissioner’s Office (ICO) has warned of rising threats to educational institutions, as more young people are tempted into cyber-crime.
The scale and sophistication of the TfL attack — and others like it — have prompted urgent warnings from law enforcement. Earlier this year, the NCA cautioned of an increase in the threat from cyber criminal gangs based in the UK and other English-speaking countries, with Scattered Spider cited as a clear example. Foster noted, “The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice.”
For its part, TfL welcomed the announcement of the charges, stating, “We welcome this announcement by the National Crime Agency that two people have now been charged in relation to the cyber incident which impacted our operations last year.” The agency’s swift reporting and engagement with the NCA were credited by investigators as key to advancing the case.
The Crown Prosecution Service (CPS) has confirmed it is prosecuting Jubair and Flowers with computer misuse and fraud-related charges. Hannah Von Dadelszen, chief crown prosecutor, explained, “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings. We have worked closely with the National Crime Agency as they carried out their investigation.”
The ongoing investigation and prosecution of the alleged hackers signal a broader shift in how authorities are tackling cyber-crime. The NCA and its partners, including the FBI, are ramping up efforts to dismantle transnational cyber-criminal networks and bring their members to justice, no matter where they operate.
The case also shines a spotlight on the vulnerabilities within critical national infrastructure and the urgent need for robust cybersecurity measures. As more essential services become digitized, the risks posed by cyber-criminals — particularly those with insider knowledge and advanced technical skills — continue to grow.
Whether the arrests of Jubair and Flowers will mark a turning point in the fight against groups like Scattered Spider remains to be seen. Authorities are hopeful that the prosecution will serve as a deterrent to would-be hackers, especially among the UK’s youth. But as the digital landscape evolves, so too do the tactics of cyber-criminals — and the battle to protect vital systems is far from over.
For now, the London transport network is back up and running, but the scars of the attack — and the lessons learned — are likely to shape cybersecurity strategy for years to come.
