{"id":8588,"date":"2026-06-24T17:30:49","date_gmt":"2026-06-24T17:30:49","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8588"},"modified":"2026-06-24T17:30:49","modified_gmt":"2026-06-24T17:30:49","slug":"scattered-spider-duo-convicted-over-38m-transport-for-london-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8588","title":{"rendered":"Scattered Spider duo convicted over $38M Transport for London attack"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Two members of the <a href=\"https:\/\/www.csoonline.com\/article\/4020567\/anatomy-of-a-scattered-spider-attack-a-growing-ransomware-threat-evolves.html\">Scattered Spide<\/a>r cybercrime collective have admitted launching a cyberattack against Transport for London (TfL) that caused millions in damages.<\/p>\n<p>Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were due to stand trial for computer hacking offences at Woolwich Crown Court on Monday but changed their pleas to guilty on the first day of what was scheduled to be a six-week trial.<\/p>\n<p>Sentencing for the pair is due to take place in the same outer London court on July 22.<\/p>\n<h2 class=\"wp-block-heading\">Mind the gap<\/h2>\n<p><a href=\"https:\/\/www.bbc.co.uk\/news\/articles\/czx5yp9qy0do\">Jubair and Flowers<\/a> compromised TfL\u2019s network between Aug. 31 and Sept. 3, 2024, in an attack that disrupted in-station services such as information boards, and online services such as TfL\u2019s refunds portal and Oyster photocard application systems for young people.<\/p>\n<p>The same attack also meant all 28,000 employees of the London transport network were obliged to attend a TfL office for a password reset. A BBC investigation in March 2026 revealed that the hack had exposed the names, email addresses, mobile phone numbers and physical addresses of <a href=\"https:\/\/www.bbc.co.uk\/news\/articles\/cz0ggkr2g77o\">an estimated 10 million people<\/a>.<\/p>\n<p>TfL suffered a reported \u00a329 million ($38.2 million) in losses, incident response, and other recovery costs.<\/p>\n<p>The attack was investigated by the UK\u2019s National Crime Agency and City of London Police. Police investigators quickly identified Flowers as a suspect prior to his arrest at his home on Sept. 6, 2024.<\/p>\n<p>Forensic analysis on the laptops, tower computers, hard drives, and USB sticks seized at the time of Flower\u2019s arrest uncovered evidence that he had also broken into the systems of US healthcare companies SSM Health Care and Sutter Health.<\/p>\n<p>One Acer laptop seized during the arrest held videos showing Jubair accessing TfL systems during the attack, according to a <a href=\"https:\/\/www.nationalcrimeagency.gov.uk\/news\/cyber-criminals-who-hacked-into-transport-for-londons-computer-network-are-convicted\">police statement on the case<\/a>. The pair were messaging each other through the Telegram messaging service as well as using a common workspace that they shared with other cybercriminals.<\/p>\n<h2 class=\"wp-block-heading\">Web of destruction<\/h2>\n<p>The <a href=\"https:\/\/www.csoonline.com\/article\/3994369\/how-cisos-can-defend-against-scattered-spider-ransomware-attacks.html\">Scattered Spider group<\/a> burst onto the scene with <a href=\"https:\/\/www.csoonline.com\/article\/563507\/what-is-ransomware-how-it-works-and-how-to-remove-it.html\">ransomware<\/a> attacks against Caesars Entertainment and <a href=\"https:\/\/www.csoonline.com\/article\/654846\/mgm-ransomware-attack-costs-100-million-in-busy-month-for-breaches.html\">MGM Resorts<\/a> in 2023. Attacks against a wide variety of targets across multiple industries, including <a href=\"https:\/\/www.csoonline.com\/article\/3977688\/warning-issued-to-retailers-cisos-worldwide-after-three-attacks-in-uk.html\">retail<\/a>, hospitality, telecoms, and aviation, followed.<\/p>\n<p>UK attacks linked to Scattered Spider include high-profile attacks on <a href=\"https:\/\/www.csoonline.com\/article\/4065991\/dont-drink-or-drive-say-cyberattackers.html\">Jaguar Land Rover<\/a> and retailer <a href=\"https:\/\/www.csoonline.com\/article\/3986579\/aggressive-creative-hackers-behind-uk-breaches-now-eyeing-us-retailers.html\">Marks and Spencer<\/a>.<\/p>\n<p>Scattered Spider is best viewed as an overlapping network of largely English-speaking crews and affiliates rather than a tightly knit organisation.<\/p>\n<p>The group\u2019s tradecraft is characterised by social engineering, help-desk impersonation, SIM swapping in the furtherance of ransomware-enabled extortion, and other scams. In particular, Scattered Spider targeted outsourced IT support and help-desk providers to reset credentials and bypass multi-factor authentication controls to expand their access into victim\u2019s networks.<\/p>\n<p>A loose alliance or collective of cybercrime groups including Scattered Spider, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Lapsus%24\">Lapsus$<\/a>, and <a href=\"https:\/\/en.wikipedia.org\/wiki\/ShinyHunters\">ShinyHunters<\/a> was established last year.<\/p>\n<p>Jubair and Flowers are among a growing number of members of the group to be convicted for computer crime offences.<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4163328\/scattered-spider-co-conspirator-pleads-guilty.html\">Tyler Buchanan<\/a>, a senior figure in the group, was arrested at a Spanish airport in June 2024.<\/p>\n<p>Buchanan, 24, of Dundee, Scotland, was extradited to the US and <a href=\"https:\/\/www.justice.gov\/usao-cdca\/pr\/british-national-pleads-guilty-hacking-companies-and-stealing-least-8-million-virtual\">pleaded guilty in April 2026 to a scam that aimed to steal $8 million in virtual currency<\/a> from at least a dozen companies as well as numerous individuals.<\/p>\n<p>Co-conspirator <a href=\"https:\/\/www.justice.gov\/usao-mdfl\/pr\/palm-coast-hacker-sentenced-10-years-prison\">Noah Michael Urban of Palm Coast, Florida, was jailed for 10 years<\/a> in April 2025 after pleading guilty to aggravated identity theft and wire fraud offences.<\/p>\n<p>Other prosecutions remain pending.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Two members of the Scattered Spider cybercrime collective have admitted launching a cyberattack against Transport for London (TfL) that caused millions in damages. Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were due to stand trial for computer hacking offences at Woolwich Crown Court on Monday but changed their [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8589,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8588"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8588"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8588\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8589"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}