Two British youngsters who hacked Transport for London (TfL) in 2024 have pleaded guilty to their crimes, according to the National Crime Agency (NCA).

Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were teenagers when they hacked London’s transport authority between August 31 and September 3 2024. Both are said to be members of the infamous Scattered Spider collective.

The incident cost TfL £29m ($38m) in loss and recovery costs, according to the NCA. It apparently impacted TfL’s customer refund system for some time, downed the application system for Oyster photocards for children and young people, and forced all 28,000 employees to attend a TfL office for a password reset.

Read more on the TfL hack: TfL Claims Cyber-Incident is Not Impacting Services

Flowers was arrested on September 6 2024, with officers finding evidence of his involvement in breaches of US healthcare companies SSM Health Care Corporation and Sutter Health.

They seized an Acer laptop apparently containing a screenshot showing network connectivity to TfL infrastructure, and found evidence he had accessed a site selling breached credentials.

Also on the laptop, officers found a video recorded by Flowers which showed Jubair accessing TfL systems, and evidence of the pair messaging over Telegram and another tool at the same time.

Jubair may be in even more trouble, according to charges unsealed in September 2025.

They allege he participated in at least 120 computer network intrusions and extortion involving 47 US entities, with victims paying $115m or more in ransom payments to Jubair and his associates.

Both Jubair and Flowers pleaded guilty at Woolwich Crown Court on June 22 and will be sentenced on July 16.

A Complex Case

The investigation was “lengthy, highly complex and painstaking,” according to deputy director Paul Foster, head of the NCA’s National Cyber Crime Unit.

“The perseverance and meticulousness of our officers, and the work of our partner organisations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending,” he added.

“Cybercrime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public.”

Foster warned of the “increasing threat” from homegrown cybercriminals like those in the Scattered Spider group.

The loose collective of English-speaking hackers has been linked to major extortion incidents at MGM Resorts International, Snowflake and most recently Marks & Spencer and Co-op Group.