Two teenagers have been formally charged for their alleged roles in a cyberattack targeting Transport for London (TfL) in August 2024, marking a significant step forward in a wider investigation into the English-speaking cybercriminal group known as Scattered Spider.
The UK's National Crime Agency (NCA) and City of London Police arrested 19-year-old Thalha Jubair from East London and 18-year-old Owen Flowers from Walsall on September 16, 2025. Both suspects appeared before Westminster Magistrates' Court yesterday, charged with conspiracy to commit unauthorized acts against TfL under the Computer Misuse Act. The investigation also uncovered links to cyber intrusions against healthcare providers in the United States.
The network breach against TfL, which occurred on August 31, 2024, was initially disclosed by the agency days later. Investigators believe the attack compromised the data of around 5,000 Oyster card users and caused significant operational disruptions, including outages on TfL's digital platforms and delays in customer refunds. At the time, officials described the incident as a serious compromise of a critical national infrastructure system, prompting assistance from both the National Cyber Security Centre (NCSC) and international partners.
While both suspects face charges related to the TfL intrusion, the scope of their alleged cybercrime activity appears much broader. Investigators found evidence linking Flowers to attempted intrusions against two US-based healthcare organizations: SSM Health Care Corporation and Sutter Health.
Jubair, meanwhile, is also facing charges under the Regulation of Investigatory Powers Act (RIPA) for refusing to disclose the passwords or PINs to encrypted devices seized during his arrest. Law enforcement officials on both sides of the Atlantic believe Jubair played a central role in Scattered Spider's operations. He is suspected of involvement in at least 120 cyberattacks targeting both public and private institutions, including the US Courts system, and is alleged to have laundered tens of millions in ransom payments.
Forensic analysis of servers allegedly operated by Jubair revealed extensive evidence of past intrusions, including exfiltrated data from a New Jersey-based critical infrastructure firm and compromised credentials from the US federal judiciary. Authorities also discovered that the attackers used these credentials to impersonate legal authorities in order to extract private user data from tech firms.
Following his initial arrest on September 6, Flowers' devices yielded key information that broadened the scope of the investigation, ultimately leading to the additional charges related to US entities. Both suspects have been remanded into custody and are due to appear at Southwark Crown Court on October 16, 2025.
Leave a Reply