Scattered Spider Members Jubair and Flowers Plead Guilty on Day One of TfL Trial

Another individual-conviction milestone in the Scattered Spider law-enforcement track: two alleged members admitted unauthorised access to Transport for London's network on the opening day of their trial, with sentencing set for July.

Share
Flat white line-art of a gavel on a block beside a transit train car and a document, on a Peacock background — Scattered Spider TfL guilty pleas.

Key Takeaways

  • Thalha Jubair, 20, of East London and Owen Flowers, 18, of Walsall in the West Midlands pleaded guilty at Woolwich Crown Court to conspiring to commit unauthorised acts under the Computer Misuse Act against Transport for London (TfL), with the pleas entered on the first day of what had been scheduled as a roughly six-week trial.
  • The charges stem from the cyberattack that struck TfL's network around 31 August to 3 September 2024, disrupting services for months, exposing customer data tied to the Oyster refunds system, and — according to officials and reporting — costing the authority tens of millions of pounds.
  • Both men are alleged members of the Scattered Spider extortion collective; Flowers additionally admitted attempts against US healthcare organisations Sutter Health and SSM Health Care, Jubair faced a further charge under the Regulation of Investigatory Powers Act for not disclosing device passwords, and the pair are due to be sentenced on 16 July 2026.

Another individual-conviction milestone in the Scattered Spider law-enforcement track.

LONDON — Two alleged members of the Scattered Spider cybercrime collective pleaded guilty at Woolwich Crown Court to their roles in the 2024 cyberattack on Transport for London (TfL), entering the pleas on the first day of a trial that had been expected to run for weeks. Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall in the West Midlands, admitted conspiring to commit unauthorised acts against TfL's computer systems under the Computer Misuse Act, according to the National Crime Agency (NCA) and multiple news reports. The incident, which began in late August 2024, disrupted services for months, exposed customer data, and — according to officials — cost the authority tens of millions of pounds.

The guilty pleas mark another individual-conviction milestone in the slow but accumulating law-enforcement track record against Scattered Spider, a loosely organised group blamed for a string of high-profile intrusions across retail, gaming, insurance, and transport. Investigators including the NCA and City of London Police framed the outcome as the product of a lengthy and complex inquiry, and both defendants are now scheduled for sentencing in July.

At a Glance
FieldDetails
DefendantsThalha Jubair, 20 (East London); Owen Flowers, 18 (Walsall)
GroupAlleged members of Scattered Spider
VictimTransport for London (TfL)
Incident dateLate August – early September 2024
CourtWoolwich Crown Court, London
PleaGuilty — entered on day one of trial
StatusSentencing scheduled 16 July 2026

What the Pleas Cover

According to the National Crime Agency and reporting from Krebs on Security, BleepingComputer, and Infosecurity Magazine, Jubair and Flowers each admitted conspiring to commit unauthorised acts under the Computer Misuse Act in connection with the TfL intrusion. The pleas were entered at Woolwich Crown Court on the opening day of proceedings, after what had been scheduled as a trial expected to last roughly six weeks. Both men were arrested following raids by the NCA and City of London Police in 2025.

The admissions were not limited to the transport authority. Reporting indicates that Flowers also pleaded guilty to charges relating to attempts against the computer systems of two US healthcare organisations, Sutter Health and SSM Health Care Corporation. Jubair, separately, faced a charge under the Regulation of Investigatory Powers Act for failing to disclose the PINs or passwords for devices seized from him — a charge that reflects the practical hurdles investigators face when suspects refuse to surrender access to encrypted hardware.

Officials and reporting describe the pleas as covering the defendants' roles in the intrusion rather than resolving every detail of the case in public; the precise basis on which each plea was entered, and the full schedule of counts, are matters for the court record. The CyberSignal is reporting the charges and pleas as attributed by the NCA and contemporaneous coverage, and is not characterising any element beyond what those sources state.

The TfL Incident in Context

Transport for London is one of the United Kingdom's most visible pieces of critical national infrastructure, operating the Underground, buses, and a range of customer-facing systems used by millions of people. The cyberattack against its network began around 31 August 2024 and continued into early September, prompting TfL to take systems offline and warn customers as it worked to contain the incident. The disruption affected back-office and customer-facing services for an extended period rather than resolving in days.

Among the most consequential effects was the exposure of customer data tied to TfL's Oyster refunds system, which handles repayments to travellers. Reporting indicates that data from the refunds system was accessed during the intrusion, and TfL subsequently moved to reset credentials and contact affected customers. The authority has described significant costs associated with response and recovery, with officials and reporting citing losses in the tens of millions of pounds — figures variously reported around the £29 million to £39 million range depending on what is counted.

For a transport operator, an incident of this kind is not merely an IT problem. It touches public confidence in services that people rely on daily, the integrity of payment and refund systems, and the broader question of how resilient operators of essential services are against socially engineered intrusions. That framing — an attack on critical national infrastructure rather than an isolated corporate breach — is part of why the case drew sustained attention from investigators and the press.

The Scattered Spider Law-Enforcement Track Record

Scattered Spider is less a tightly structured organisation than a fluid, English-speaking collective that has been linked to a series of intrusions across multiple sectors, often relying on social engineering — convincing help desks and employees to hand over access — rather than novel exploits. Its loose structure has made attribution and prosecution difficult, but the past two years have seen a steady, if incremental, accumulation of individual cases on both sides of the Atlantic.

The TfL pleas join a broader pattern of named defendants being charged, arrested, or convicted in connection with the group and its orbit. That track record sits alongside other recent individual-accountability outcomes in the cybercrime enforcement space, from ransomware-affiliated negotiators to operators of criminal services — cases such as the Karakurt negotiator sentenced to 102 months that show prosecutors steadily working through the human layer of organised cybercrime rather than only its infrastructure.

What distinguishes the Scattered Spider line of cases is the relative youth of many of the defendants and the prominence of their alleged targets. As Infosecurity Magazine noted in its coverage of the convictions, the two men in the TfL matter are 18 and 20; other individuals charged in connection with the group in the United States span their early twenties to mid-twenties. The recurring profile — young, English-speaking, and adept at social engineering — has become a defining feature of how investigators and defenders now describe the threat.

Why Individual Convictions Continue to Matter

Cybercrime enforcement is often measured in infrastructure takedowns: seized servers, dismantled botnets, and disrupted marketplaces. Those operations matter, but they tend to degrade capability temporarily rather than hold specific people to account. Individual convictions work on a different axis. They attach legal consequences to named people, create a public record of conduct, and — for collectives that recruit and operate informally — signal that participation carries personal risk.

That signalling effect is part of why authorities increasingly pair technical disruption with prosecutions of the people behind it. Large coordinated actions can knock out the plumbing of a criminal operation — as seen in cases like the FBI and Google takedown of an outsider China-linked cybercrime network — but it is the identification and conviction of individuals that converts a disruption into durable deterrence. For a group like Scattered Spider, whose strength lies in adaptable people rather than fixed infrastructure, that human-layer accountability is arguably the more meaningful lever.

There is also a practical intelligence dimension. Prosecutions surface details about how intrusions actually unfolded — the techniques used, the targets chosen, and the way loosely connected actors coordinated — that can inform defenders. Even where the courtroom basis of a plea is narrow, the existence of a case helps the wider community understand the threat landscape with more precision than threat reporting alone provides.

Open Questions

Several aspects of the case remain to be resolved in court. Sentencing is scheduled for 16 July 2026 at Woolwich Crown Court, and the eventual penalties — along with any judicial findings about the defendants' specific roles — will become clearer then. The CyberSignal is not asserting sentencing exposure, cooperation arrangements, or the complete list of counts beyond what the National Crime Agency and contemporaneous reporting have confirmed; those details belong to the sentencing record.

Equally open is what the pleas mean for the broader Scattered Spider ecosystem. The collective has been linked to far more activity than any single prosecution captures, and the relationship between these UK defendants and the separate US cases against other alleged members is a matter for the respective courts rather than something to infer. What is confirmed is significant on its own terms: two young men have admitted unauthorised access to the network of a major piece of critical national infrastructure, in a case that investigators describe as the product of a lengthy and painstaking inquiry.

For defenders, the durable takeaway is less about any one verdict than about the trajectory it represents. The combination of social-engineering-led intrusions against high-value targets and a maturing law-enforcement response — one that increasingly reaches the individuals involved — is now a fixed feature of the landscape. The TfL pleas are one more data point in that pattern, and the July sentencing will add the next.


The CyberSignal Analysis

The reported facts above are the National Crime Agency's and those of contemporaneous court reporting; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — Convictions Reach the People, Not Just the Diffuse Collective

The most consequential aspect of these pleas is that they attach legal consequences to two named individuals, not to the abstraction of a group. Scattered Spider is not a corporation with a hierarchy that can be decapitated; it is a fluid, loosely coupled collective whose membership is porous and whose capability lives in people rather than infrastructure. Our reading is that this is exactly why individual convictions carry disproportionate weight against a group of this shape — you cannot seize a server and neutralise a mindset, but you can establish that participation in a named intrusion ends in a courtroom.

That distinction reframes what success looks like for enforcement against diffuse collectives. A takedown of tooling or a marketplace degrades capability temporarily; a conviction removes a specific actor and creates a durable public record of conduct. For a collective that recruits informally and reconstitutes quickly, our assessment is that the accumulation of individual cases — even incremental ones — is the more meaningful long-run pressure, because it targets the one resource the group cannot simply respin.

Signal 02 — Prosecutions Are the Deterrence Lever Takedowns Cannot Be

Infrastructure disruption and prosecution operate on different timescales, and conflating them obscures why authorities increasingly pair the two. Knocking out plumbing buys defenders breathing room; converting an intrusion into a personal legal liability changes the calculus for the next would-be participant. Our view is that the deterrent signal from a guilty plea on day one of a high-profile trial — with sentencing to follow — is precisely the kind of individual-risk message that a purely technical takedown can never send.

The forward-looking read for defenders is that the enforcement response to social-engineering-led collectives is maturing toward the human layer, and that trajectory matters more than any single verdict. When the strength of a threat lies in adaptable, English-speaking operators rather than fixed assets, the durable countermeasure is one that raises the personal cost of participation. We would treat the steady cadence of named-defendant outcomes as the leading indicator of whether that deterrence is beginning to bite.

Signal 03 — The Young Western-Actor Profile Is Now a Planning Assumption

The recurring detail across these cases — defendants who are teenagers or in their early twenties, native English speakers, and fluent in help-desk manipulation — is not incidental colour; it is a threat-model input. Our reading is that defenders should stop treating the socially engineered intrusion as an exotic edge case and start treating this actor profile as a baseline planning assumption, because the people best positioned to talk their way past a help desk are, by design, indistinguishable over the phone from legitimate users.

That reframing has an operational consequence. If the adversary's core competence is persuasion rather than exploitation, then the marginal defensive dollar belongs in identity-verification rigor, help-desk callback procedures, and out-of-band confirmation for high-risk requests — not only in perimeter tooling. We would read the TfL case as one more data point arguing that human-process hardening is the control most directly matched to how this class of actor actually operates.


Sources

TypeSource
PrimaryNational Crime Agency — Cyber criminals who hacked TfL convicted
ReportingKrebs on Security — Scattered Spider Hackers Plead Guilty on Day 1 of Trial
ReportingBleepingComputer — Scattered Spider members plead guilty to hacking TfL
ReportingInfosecurity Magazine — Scattered Spider Teens Convicted of TfL Cyber-Attack
RelatedThe CyberSignal — Karakurt Negotiator Sentenced to 102 Months
RelatedThe CyberSignal — FBI and Google Take Down China-Linked Cybercrime Network