Fintech & Crypto Alerts · Dakota Flynn · 18 July 2026

Teen hackers jailed after live-streaming TfL cyber-attack

Teen hackers jailed after live-streaming TfL cyber-attack

Two teenage hackers who live-streamed a 2024 cyber-attack that crippled Transport for London have each been jailed for five years and six months. Owen Flowers and Thalha Jubair, each a Scattered Spider hacker, stole millions of customers' data and caused tens of millions in losses.

Key Takeaways

What did the teenage hackers do to TfL?

According to the BBC, Flowers was 17 and Jubair was 18 when they breached TfL at 17:00 on 31 August 2024. They tricked a phone help-desk worker into resetting an impersonated employee's password, then searched an Oyster-card database for celebrity details and tried to reach banking information.

Woolwich Crown Court heard the pair streamed the roughly 16-hour intrusion. The attack left 148 technology systems inoperable, disrupted services including Dial-a-Ride, forced all 27,000 TfL staff to reset passwords in person, and kept online services disrupted for months.

TfL said the financial impact was £29m, with another £10m in lost income. Customer data—potentially covering as many as 10 million people—has continued to circulate in criminal groups, the BBC reported.

Who are the hackers and how were they caught?

Both men were described as computer-obsessed loners tied to Scattered Spider, a loosely coordinated English-speaking cyber-crime collective also linked to attacks on retailers including Marks & Spencer and the Co-op. Flowers, from Walsall, rarely left his bedroom; Jubair, from east London, had 22 previous convictions related to hacking, fraud and harassment.

Flowers had received a cease-and-desist order for minor cyber crime in October 2023. He was arrested in September 2024 over the TfL attack; video showed him laughing as officers took him into custody. Investigators also found him hacking two US healthcare providers and seized cryptocurrency holdings worth around £1m.

Jubair previously received a Youth Rehabilitation Order for work with the Lapsus$ group and is wanted in the US over alleged cyber crimes involving about $115 million in ransoms paid to him and associates. While awaiting trial, both were found with contraband phones and messages about future attacks.

Judge Mr Justice Turner cited their young age and autism diagnoses as mitigating factors. For more on crypto-linked crime cases, see BlasterPost Fintech & Crypto Alerts.

Why does this hacker case matter beyond TfL?

The NCA said the growth of young UK hackers is among the biggest threats to the country's cyber security. Deputy director Paul Foster warned that the online world can expose young people to criminal communities far beyond their front door, and urged parents, educators, tech firms and law enforcement to help keep youths safe online.

Although police said Scattered Spider was heavily degraded by the arrests, cyber security analyst Allison Nixon argued the sentences alone would do little to deter young boys drawn to a gang culture that idolises maximising victim harm—an unresolved risk for operators handling payments, identity data and digital transport systems.

← Open in blast feed