The pair used the dark web to gain access to TfL's internal systems
Two young hackers have been jailed for five-and-a-half years after admitting to breaching Transport for London’s systems in a cyber attack that caused disruption across the network.
Thalha Jubair and Owen Flowers, now aged 20 and 18, gained access to TfL’s internal systems via the dark web in 2024, with the incident costing the transport authority an estimated £29million and affecting services for months.
Prosecutors described the pair as “experienced and talented” hackers, and said they were members of the notorious Scattered Spider cybercrime group, which has been linked to major attacks on M&S, Co-op and Jaguar Land Rover last year.
Jubair and Flowers both pleaded guilty shortly before their trial was due to begin last month, having previously denied the charges.
Judge Mr Justice Turner sentenced both men to five years and six months in prison, with each receiving a 15 per cent reduction for their guilty pleas.
As a result of the hack, TfL was forced to “pull the plug” on its systems at a huge cost.
Data from the Oyster refund system was accessed, contactless systems were delayed and applications for Oyster photo cards for children and young people were shut down.
The hack also meant all of TfL’s employees had to attend an office to reset their passwords.
During the hearing, prosecutor Mark Fenhalls KC said the pair risked losing £56billion from the UK economy through what TfL said was “significant and extend transport service degradation and disruption.”
TfL said: “Such widespread disruption would have had a serious impact on the travelling public, including for those accessing education, healthcare and other essential services, and London’s economy.”
The hack was carried out between August 31 and September 3, 2024.
They worked through the night for 16 hours to gain access to the network, with Flowers live-streaming the hack.
Some of the videos from the hack were recovered when he was arrested on September 6, three days after the incident.
Using remote servers allowed them to conceal the origin of the attack, while they also used virtual machines within the TfL system to destroy evidence.
Jubair’s barrister Paul Keleher KFC described him as a “modern day Oliver Twist” who had been groomed from a young age to be used for hacking.
Flowers’ barrister, Adam Davis KC, told the court his client was an “immature child trying to show off online”.
However, prosecutors said that when his laptop was seized after his arrest, it was being used in attempts to hack two US healthcare providers, SSM Health and Sutter Health.
The court heard those attacks were only prevented because of the “fortuitous timing” of his arrest. Flowers is wanted in the US, although he is not believed to currently be facing extradition proceedings.
After being remanded in custody in September 2025, Flowers was found to have purchased two “unlawful phones” while in prison and searched for login details linked to the Ministry of Justice, Wandsworth Prison staff and the Crown Prosecution Service.






