Two teenagers suspected of being part of the infamous Scattered Spider hacking collective have been arrested in the United Kingdom in connection with the high-profile cyberattack on Transport for London (TfL) in August 2024.
The suspects, identified as 18-year-old Owen Flowers from Walsall and 19-year-old Thalha Jubair from East London, are scheduled to appear before Westminster Magistrates’ Court. Both face charges of computer misuse and fraud stemming from the breach that disrupted parts of London’s critical transport infrastructure.
Investigators Connect Suspects to Wider Cybercrime Campaign
Flowers is not a newcomer to law enforcement scrutiny. He was previously arrested in September 2024 on suspicion of involvement in the TfL breach but released on bail pending further investigation. Since then, the UK’s National Crime Agency (NCA) has reportedly uncovered additional evidence that allegedly links him to cyberattacks targeting U.S. healthcare providers, including SSM Health Care Corporation and Sutter Health.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, stressed the severity of the incident, stating, “This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure. Earlier this year, the NCA warned of an increase in the threat from cybercriminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example.”
DOJ Charges Extend to Global Breaches and Extortion
Across the Atlantic, the U.S. Department of Justice (DOJ) has also unsealed criminal charges against Jubair. The DOJ alleges that Jubair and his co-conspirators carried out at least 120 network breaches and extortion attacks worldwide between May 2022 and September 2025, impacting at least 47 U.S. organizations.
According to the complaint filed in the District of New Jersey, victims collectively paid more than $115 million in ransom demands linked to the group’s operations. Charges against Jubair include conspiracy to commit computer fraud, wire fraud, and money laundering.
TfL Breach Timeline and Impact
TfL initially disclosed the August 2024 attack on September 2, 2024, reassuring the public that no customer data had been compromised. However, a later update revealed that customer data — including names, contact details, and addresses — had indeed been accessed.
While the attack did not disrupt day-to-day transportation services, it caused significant downtime for internal systems, online services, and refund processing. TfL, which manages London’s Underground, surface transport, and Crossrail services in partnership with the UK’s Department for Transport, serves over 8.4 million Londoners daily — magnifying the scale of the breach’s impact.
This was not TfL’s first encounter with cybercrime. In May 2023, the agency fell victim to a separate data breach when the Clop ransomware gang exploited a vulnerability in a supplier’s MOVEit Managed File Transfer (MFT) server, exposing data from more than 13,000 customers.
Scattered Spider Crackdown Continues
The recent arrests mark part of a broader law enforcement push against Scattered Spider, a hacking group notorious for its high-profile extortion campaigns. In July 2025, the NCA apprehended four other suspected members accused of targeting major UK retailers including Marks & Spencer, Harrods, and Co-op.
Authorities on both sides of the Atlantic appear determined to dismantle the collective, which has been linked to some of the most disruptive cyberattacks against critical infrastructure, retail, and healthcare organizations in recent years.
