Two UK Teenagers Charged Over TfL Hack Linked to Scattered Spider

The cyberattack that disrupted Transport for London (TFL) websites and services in September 2024 has led to charges against two teenagers accused of working with the Scattered Spider hacking group.

Nineteen-year-old Thalha Jubair of East London and eighteen-year-old Owen Flowers of Walsall were arrested by the National Crime Agency on 16 September 2025 and brought before Westminster Magistrates’ Court. Prosecutors allege the pair conspired to breach TfL systems under the Computer Misuse Act, causing millions in damage and impacting parts of London’s critical infrastructure.

The incident did not stop the Underground from running, but it disrupted important services around it. Customers struggled to log into Oyster and contactless payment accounts, and third-party transit apps that rely on TfL’s APIs were knocked offline. Investigators estimate more than £30 million in costs so far, covering remediation, lost revenue, and security upgrades.

Roughly 5,000 Oyster users also had their personal information exposed, including bank details and contact records. TfL confirmed the data leak in its own disclosures, adding further weight to the charges against the accused.

TFL notification that was sent in September 2024

In its press release published today, the NCA described the probe as a “lengthy and complex investigation” in recent years. Paul Foster, deputy director of the agency’s National Cyber Crime Unit, said the attack “caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

****Charges Against Jubair Detail Major Cybercrime Allegations****

According to a press release from the US Department of Justice, Jubair faces charges of conspiracy to commit computer fraud, wire fraud, and money laundering, linked to more than 120 network breaches and extortion schemes against 47 U.S. organisations. Prosecutors say the victims handed over at least $115 million in ransom payments.,

He also faces an additional charge for refusing to provide passwords or PINs to devices seized by investigators. That falls under the Regulation of Investigatory Powers Act, which compels suspects to disclose encryption keys or face prosecution.

Flowers is facing more than the London charges. Court documents also link him to cyberattacks on US healthcare providers SSM Health Care Corporation and Sutter Health. Those cases highlight the cross-border nature of Scattered Spider, a group already associated with high-profile ransomware and extortion campaigns in both North America and Europe.

****One More Arrest****

This is not the first arrest linked to the September 2024 TfL cyberattack. On September 12, 2024, the NCA announced the arrest of a teenager in Walsall, England, connected to the incident. However, the suspect’s name was not disclosed.

As for the latest arrests, the Crown Prosecution Service has said the evidence was strong enough to bring both men to court, stressing that it is in the public interest to pursue the case, given the damage to TfL and the risk to wider critical services.

Scattered Spider has gained a reputation over the past two years for sophisticated social engineering attacks, often targeting corporate IT staff through phishing and voice calls. Security analysts believe the group is made up largely of young hackers who collaborate loosely online, sometimes overlapping with other cybercriminal groups.

Nevertheless, these arrests and the age of alleged hackers align with the NCA’s February 2024 findings, which revealed that 1 in 5 youths in the United Kingdom engage in cybercrime. The agency disclosed that one in five children aged 10-16 in the UK have participated in online activities that violate the Computer Misuse Act.