Two Scattered Spider Members Sentenced to Five-and-a-Half Years for £29 Million TfL Attack

The biggest cybercrime conviction in UK history — Scattered Spider's TfL attackers face five-and-a-half years, and the £29M cost lands as a defender-team reminder this week.

Share
Editorial illustration of a judge's gavel resting on a transit farecard, marking two Scattered Spider members jailed for the £29M Transport for London attack.

Key Takeaways

  • Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, were each sentenced to five years and six months in prison for their roles in the 2024 cyberattack on Transport for London (TfL), following guilty pleas entered in June 2026.
  • The National Crime Agency (NCA) led the case, which The Register describes as the biggest cybercrime conviction in UK history; the TfL attack reportedly cost the transport authority £29 million.
  • The sentencing is a law-enforcement accountability milestone rather than a fresh technical disclosure — a defender-team data point in the widening effort to convert named Scattered Spider members into named, sentenced defendants.

A UK courtroom just converted two named Scattered Spider members into sentenced defendants — the enforcement half of the ransomware-era threat, landing as accountability rather than tradecraft.

LONDON — Two members of the Scattered Spider cybercrime collective have been sentenced to five years and six months each in prison for their roles in the 2024 cyberattack on Transport for London (TfL), an incident that reportedly cost the transport authority £29 million. Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, were sentenced on or about 16 July 2026 after pleading guilty in June, in a case led by the United Kingdom's National Crime Agency (NCA) and described by The Register as the biggest cybercrime conviction in UK history.

The sentencing reads as a law-enforcement accountability story rather than a new technical disclosure: no fresh vulnerability or intrusion to study, only two named individuals receiving custodial terms for an attack on a major piece of critical national infrastructure. It closes the loop on a case The CyberSignal has tracked since the guilty pleas the pair entered on the opening day of trial, and lands as a defender-team reminder that the enforcement side of the Scattered Spider problem is now producing sentences, not just charges.

At a Glance
FieldDetails
DefendantsThalha Jubair, 20 (East London); Owen Flowers, 18 (Walsall)
GroupScattered Spider cybercrime collective
VictimTransport for London (TfL)
SentenceFive years and six months (66 months) each
Guilty pleaJune 2026
SentencedOn or about 16 July 2026
Investigating agencyNational Crime Agency (NCA)
Reported cost£29 million (reportedly)
Framing"Biggest cybercrime conviction in UK history" (The Register)
Not confirmedUS extradition, cooperation terms, additional co-defendants, specific TfL systems affected

What the Sentences Covered

According to reporting from TechCrunch, Help Net Security, and The Register, Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, were each sentenced to five years and six months in prison — a term also rendered in some coverage as 5.5 years or 66 months — for their roles in the 2024 attack on Transport for London. The two men had pleaded guilty in June 2026, and the sentencing hearing on or about 16 July 2026 fixed the consequences of those pleas.

The custodial terms are the consequential figures here. Five years and six months, handed down to each defendant, is the part of the outcome that frames how the case should be read: as an individual-accountability result for an attack on critical national infrastructure, not as a disruption of servers or a seizure of criminal proceeds. The two men are members of Scattered Spider, the loosely organised, largely English-speaking collective linked to a string of high-profile intrusions across retail, gaming, insurance, and transport.

The National Crime Agency led the investigation, working with partners to build the case that ended in these sentences. For the NCA, the outcome is a headline result against a group whose diffuse structure has historically made attribution and prosecution difficult — two named members, now sentenced, for an attack on a service used by millions of Londoners every day.

Continuation Context: The TfL Guilty Pleas

This sentencing is the second act of a case The CyberSignal covered when it first reached court. In June 2026, Jubair and Flowers pleaded guilty on the opening day of what had been scheduled as a multi-week trial at Woolwich Crown Court, admitting conspiracy to commit unauthorised acts under the Computer Misuse Act in connection with the TfL intrusion. The pleas resolved the question of guilt; the 16 July hearing resolved the question of punishment.

The TfL cyberattack began in late August 2024 and disrupted services and customer-facing systems for an extended period, prompting the authority to take systems offline as it worked to contain the incident. Transport for London is one of the United Kingdom's most visible pieces of critical national infrastructure, operating the Underground, buses, and a wide range of payment and refund systems — which is part of why the case drew sustained attention from investigators and the press from the outset.

Reading the two milestones together — the June pleas and the July sentences — gives the clearest picture of the case's trajectory: a lengthy NCA-led inquiry, an early admission of guilt once trial began, and a custodial outcome that puts a firm number on the personal cost of participating in the intrusion.

The £29 Million Cost Figure in Context

The attack reportedly cost Transport for London £29 million, a figure that has anchored much of the coverage and that officials and reporting have attached to the authority's response and recovery. The CyberSignal reports the £29 million as a reported figure rather than an audited final total; cost estimates for large public-sector incidents often shift depending on what is counted — direct response, remediation, staff time, and downstream service impact — and the precise composition of the number is not something to infer beyond what the sources state.

Even as a reported estimate, the figure does useful work for defenders trying to make the business case for resilience. A single socially engineered intrusion against a transport operator producing a cost in the tens of millions of pounds is a concrete data point about downside exposure — the kind of number that translates an abstract threat into a budget-line argument for identity-verification rigor and incident-response readiness.

It also situates the TfL case within a broader enforcement record in which authorities increasingly attach real numbers to cybercrime harm, from restitution terms in ransomware pleas to the sums cited in large coordinated actions such as the FBI and Google takedown of an outsider China-linked cybercrime network. The £29 million is TfL's cost, not the defendants' proceeds — a distinction worth keeping in view when reading the figure.

The Judge's “Selfish Bravado” Characterization

As Infosecurity Magazine reported, the sentencing was accompanied by a judicial characterization of the defendants' conduct as driven by “selfish bravado.” The phrase is notable because it reframes the attack away from any narrative of sophistication and toward one of self-regarding recklessness — a court's assessment of motive rather than a technical description of method.

For defenders, the language matters less as legal detail than as signal. Scattered Spider's public image has often traded on the idea of daring, youthful operators running rings around large organisations; a judge attributing the conduct to “selfish bravado” punctures that framing and relocates it where the court believes it belongs — as harmful behaviour with real victims, sentenced accordingly.

The CyberSignal treats the “selfish bravado” characterization as reported by Infosecurity Magazine and is not extending it beyond the sentencing context in which it was delivered. What it captures is a tone increasingly common in cybercrime sentencing: courts declining to romanticise the defendants and instead emphasising the concrete harm done to the public services they targeted.

The Ongoing Scattered Spider Law-Enforcement Pipeline (US and UK)

The TfL sentences join a widening pipeline of named-defendant outcomes across the cybercrime enforcement space. They sit alongside other recent individual-accountability results The CyberSignal has tracked, including the guilty plea by a Ukrainian national in a Conti ransomware case, the 102-month sentence handed to Karakurt negotiator Deniss Zolotarjovs, and US charges against a Russian national linked to the Void Blizzard activity. Each involved a specific, named person rather than an anonymous handle.

That people-focused track increasingly runs in parallel with large infrastructure disruptions — coordinated operations such as Europol's Operation Endgame 2.0 takedown of 300 servers and 20 operators and Interpol's Operation Ramz arrests across 13 countries. Read together, these cases describe a strategy that pairs technical disruption with the prosecution of the people behind it.

For a collective like Scattered Spider, whose strength lies in adaptable, English-speaking operators rather than fixed infrastructure, that human-layer accountability is arguably the more meaningful lever. A takedown degrades capability temporarily; a sentence removes a specific actor and establishes, on the public record, that participation in a named intrusion carries personal risk. The TfL sentences are the UK's latest contribution to that record.

Open Questions

Several aspects of the wider Scattered Spider picture are not resolved by these sentences. It is not confirmed whether Jubair or Flowers cooperated with investigators against other defendants, whether either faces outstanding US extradition, or how these UK convictions relate to the separate cases reportedly pending against other alleged members of the group on both sides of the Atlantic. None of those points should be assumed from the confirmed facts of the sentencing itself.

The specific TfL systems affected during the 2024 intrusion, and the precise technical basis of the attack, likewise remain matters for the court record and the authority's own disclosures rather than something to reconstruct here. The CyberSignal is reporting the sentences, the reported £29 million cost, and the judge's characterization as attributed by the NCA and contemporaneous coverage, and is not characterising any element beyond what those sources state.

What is confirmed is significant on its own terms: two named members of Scattered Spider have been sentenced to five years and six months each for an attack on a major piece of UK critical national infrastructure, in what The Register calls the biggest cybercrime conviction in the country's history. The open questions belong to future proceedings; this outcome belongs to the enforcement record now.


The CyberSignal Analysis

The reported facts above come from the NCA and contemporaneous court reporting; what follows is The CyberSignal's editorial reading for defenders. None of the judgments below are new reported facts.

Signal 01 — Sentences, Not Just Charges, Now Reach Scattered Spider

The most consequential aspect of this case is that it moves the Scattered Spider enforcement story from arrests and pleas to custodial sentences. Charges signal intent; sentences signal follow-through. Our reading is that a five-and-a-half-year term against each of two named members changes the risk calculus for a collective that has traded on the perception of consequence-free daring, because it converts an abstract legal exposure into a concrete number of years.

That distinction reframes what success looks like against a diffuse collective. You cannot decapitate a group with no hierarchy, but you can establish — case by case — that participation in a named intrusion ends in prison. We assess the accumulation of sentenced defendants, not the count of takedowns, as the more durable pressure on a threat whose capability lives in people.

Signal 02 — The £29 Million Is a Business-Case Number for Defenders

The reported £29 million cost is easy to file under courtroom colour, but its more useful role is as a defender's business-case figure. A single socially engineered intrusion producing a cost in the tens of millions is precisely the kind of concrete downside that security leaders can carry into budget conversations. Our view is that numbers like this one do more to justify investment in identity verification and help-desk hardening than any threat-report abstraction.

We would caution against over-reading the figure as a precise final total — it is a reported cost, not an audited one — but its order of magnitude is the point. For organisations weighing the price of resilience against the price of an incident, the TfL number is a data point that lands on the right side of the ledger.

Signal 03 — UK and US Tracks Are Converging on the Same People-First Strategy

The TfL sentences, delivered by a UK court in an NCA-led case, sit inside the same strategic pattern visible in US ransomware prosecutions and multinational Europol and Interpol actions: authorities are increasingly targeting individuals alongside infrastructure. Our reading is that this convergence — different jurisdictions, same people-first logic — is the structural story defenders should track, because it suggests the deterrence signal is being sent from more directions at once.

Neither the UK nor the US track substitutes for security controls, and both move slowly relative to the pace of intrusions. But the combination is a more complete deterrent than either alone, and the steady cadence of named-defendant outcomes across both suggests the people-focused approach is gaining momentum rather than tapering off.


Sources

TypeSource
ReportingTechCrunch — UK cops say arrest of two young hackers disrupted an infamous hacking group
ReportingHelp Net Security — Transport for London cyberattack: prison time
ReportingThe Register — Scattered Spider duo handed prison over Transport for London attack
ReportingInfosecurity Magazine — “Selfish bravado” behind TfL cyberattack
RelatedThe CyberSignal — Scattered Spider Members Jubair and Flowers Plead Guilty on Day One of TfL Trial
RelatedThe CyberSignal — Karakurt Negotiator Deniss Zolotarjovs Sentenced to 102 Months