Two Young Suspects Linked to Scattered Spider Indicted for Transport for London Attack.
CONTEXT
-
August 2024: Hacking of Transport for London systems.
-
September 2024: First arrest of Owen Flowers, later released.
-
September 2025: Simultaneous arrests of Flowers and Jubair.
-
September 18, 2025: Hearing before Westminster Magistrates’ Court.
-
October 16, 2025: Hearing scheduled at Southwark Crown Court.
-
Charges: Conspiracy to commit unauthorized acts related to computers, punishable by life imprisonment.
[ZATAZ News English version] – The UK’s National Crime Agency has arrested and indicted two young men, Thalha Jubair, 19, and Owen Flowers, 18, accused of hacking Transport for London in August 2024. Both are allegedly tied to Scattered Spider, an English-speaking cybercrime group. Flowers faces additional charges for attempted intrusions into U.S. hospitals. Jubair is also named in a U.S. Department of Justice complaint for cyber offenses. Both face potential life sentences. The case illustrates the growing sophistication of attacks on strategic infrastructure and judicial cooperation between the UK and the U.S. in combating cyberthreats.
The TfL Hack and Indictments
On September 17, 2025, the NCA confirmed the arrest of two British youths in connection with the August 2024 Transport for London attack. Suspects Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, were apprehended at their homes the previous Tuesday midday.
The Crown Prosecution Service promptly authorized charges under the Computer Misuse Act. Prosecutors allege the pair conspired to commit unauthorized computer acts, creating serious risks to public and national security. The offense, one of the harshest under UK law, carries a maximum sentence of life imprisonment.
According to the NCA, the attack caused significant disruption to TfL operations and financial losses of several million pounds. Paul Foster, head of the National Cyber Crime Unit, called the indictments “a key new step in a long and complex investigation,” stressing the economic and strategic impact of targeting vital infrastructure.
Flowers had already been arrested in September 2024 in connection with the hack, then released on conditional bail. New investigations allegedly tied him to further intrusions, this time against U.S. healthcare organizations.
Transatlantic Legal Links
UK authorities state that Flowers attempted intrusions into the IT systems of SSM Health Care Corporation and Sutter Health in the United States. These charges strengthen the international dimension of the case and may lead to parallel proceedings between both countries.
Jubair is accused of refusing to provide investigators with access codes to seized devices. This obstruction adds a separate offense. Meanwhile, the U.S. Department of Justice has filed a complaint against him for various cybercrimes, increasing his exposure to prosecution.
Both defendants appeared on September 18, 2025, before Westminster Magistrates’ Court. This first-instance court rules on whether the case should move to a criminal court, competent for offenses carrying more than one year of prison. Prosecutors requested their detention, citing the seriousness of the charges. They are scheduled to appear on October 16, 2025, before Southwark Crown Court for further proceedings.
Scattered Spider: Persistent Threat
The case fits a worrying trend: the rise of English-speaking cybercrime groups. Scattered Spider, loosely structured but aggressive—as ZATAZ has tracked again in recent weeks—is notorious for social engineering and attacks on major companies in Europe and the U.S.
The NCA recently warned about escalating threats from such networks. Alongside the TfL intrusion, British investigators are handling several sensitive cases: the Legal Aid Agency hack, two incidents affecting the NHS, and attacks on retailers including Marks & Spencer, Co-op, and luxury store Harrods.
Hannah Von Dadelszen, CPS chief prosecutor, stated that the evidence was sufficient to proceed and that “the public interest fully justifies prosecution.” This underscores a clear stance: to deter other young individuals drawn by the notoriety of cybercrime collectives.
The NCA also emphasizes cooperation with the FBI and other foreign partners, stressing that the fight against transnational groups requires systematic coordination. Cyberspace, now a strategic battlefield, demands a collective law enforcement and judicial response.
