Scattered Spider Hackers Plead Guilty on Day 1 of Trial Cybercrime

According to the NCA, the cyberattack at TfL forced all 28,000 employees to visit their local offices to reset their passwords and caused £29 million ($38.3M) in financial damage to the public transportation organization. “Today’s result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances.” The investigators seized multiple devices from Flower’s home, including a laptop containing a screenshot showing connectivity to TfL infrastructure, evidence of access to a marketplace selling stolen credentials, and videos showing Jubair breaching TfL systems.

The Criminal Operation

The attack forced all 28,000 TfL employees to reset their passwords in person and resulted in about 29 million pounds ($38 million) in losses and recovery costs, according to the NCA.

Further details indicate that the breach also affected TfL’s customer refund services and exposed data held in the refund system for Oyster, the smart-ticketing platform used across London’s public transportation network.

Two Scattered Spider members plead guilty over cyberattack that crippled London transit Two alleged members of the cybercrime gang Scattered Spider pleaded guilty Monday to carrying out a cyberattack against London’s transport authority that disrupted services for months, exposed customer data and cost the organization tens of millions of pounds.

The two individuals, Thalha Jubair (20) and Owen Flowers (18), breached the systems of London’s transportation service between August 31 and September 3, 2024, causing millions of pounds in losses.

“This has been a lengthy, highly complex and painstaking investigation,”, Spokesperson

Victims & Losses

The attackers accessed data from TfL’s Oyster refunds system and disrupted customer refund services, delaying refunds for some users. In addition to TfL, authorities have also linked Flowers to intrusions at SSM Health Care Corporation and Sutter Health, both American healthcare organizations. It apparently impacted TfL’s customer refund system for some time, downed the application system for Oyster photocards for children and young people, and forced all 28,000 employees to attend a TfL office for a password reset.

It apparently impacted TfL’s customer refund system for some time, downed the application system for Oyster photocards for children and young people, and forced all 28,000 employees to attend a TfL office for a password reset.

Timeline

| Date | Event | |, , |, , -| | 2024 | The hack, which was disclosed on 2 September 2024, resulted in limited system access and exposed commuter data, stunt… | | 2024 | The figure is higher for those who game, standing at 25%,” NCA reported in 2024. | | 2025 | In July 2025, KrebsOnSecurity reported that Flowers and Jubair were arrested in the United Kingdom in connection with… | | 2023 | The NCA did not provide further details, but both companies reported large data breaches in 2023. |

Analysis

Organizations should review their exposure and apply available mitigations promptly.

Security teams should monitor vendor advisories and threat intelligence sources closely for additional context or updates. Organizations with mature security programs are advised to incorporate this intelligence into their regular risk assessments and prioritize response activities based on exposure and asset criticality. For environments where immediate remediation is not feasible, compensating controls such as network segmentation, enhanced monitoring, and access restrictions should be evaluated. Security leadership should communicate relevant details to operational teams and ensure that incident response capabilities are prepared if exploitation is observed in the wild.

Sources

1. https://www.recordedfuture.com/research/2026-fifa-world-cup-threats
2. https://www.recordedfuture.com/research/state-digital-surveillance-risk-landscape
3. https://www.recordedfuture.com/research/iran-handala-physical-threats
4. https://www.recordedfuture.com/research/cyber-maritime-sanctions-evasion
5. https://krebsonsecurity.com/2026/06/scattered-spider-hackers-plead-guilty-on-day-1-of-trial/
6. https://therecord.media/guilty-plea-tfl-cyberattack-scattered-spider-members