Scattered Spider teens jailed 5.5 years for £29M TfL attack – extradition looms
Key Takeaways
- Two UK teenagers, core members of the Scattered Spider hacking group, have been sentenced to 5.5 years for a £29 million cyber attack on Transport for London.
- The case demonstrates the group’s social engineering prowess and the role of cryptocurrency tracing in identifying attackers, while one hacker now faces extradition to the US for $87 million in extortion.
Mentioned
Key Intelligence
Key Facts
- 1Thalha Jubair, 20, and Owen Flowers, 18, were each sentenced to 5 years and 6 months for the Transport for London cyber attack.
- 2The four-day attack on TfL cost an estimated £29 million and threatened up to £56 billion in catastrophic damage before the network was disconnected.
- 3Jubair is separately charged in the US with extorting at least £87 million from 47 American companies between 2022 and 2025.
- 4$200 million in cryptocurrency moved through accounts linked to Jubair; Flowers controlled wallets containing $7.1 million.
- 5The pair were core members of the Scattered Spider hacking group, linked to attacks on Jaguar Land Rover (£1.9 billion), M&S (£300 million), and the Co-op (£206 million losses).
- 6Jubair was traced by the FBI after using a crypto wallet holding £27 million in ransom proceeds to purchase food delivery vouchers.
Direct cost of the four-day cyber attack on Transport for London
I'm satisfied your actions were motivated by selfish bravado, heedless of the severe consequences to others.
Sentencing hearing
Analysis
For cybersecurity professionals, the sentencing of Thalha Jubair and Owen Flowers provides a stark case study in the new breed of threat actors: socially isolated teenagers leveraging advanced social engineering to breach critical infrastructure. The Scattered Spider group’s ability to extract £29M in a single attack on TfL, while simultaneously extorting over £87M from US companies, underscores the evolving ransomware and extortion ecosystem that blends technical prowess with crypto obfuscation.
In a landmark sentencing at Woolwich Crown Court, two British teenagers were each jailed for five years and six months for masterminding a devastating cyber attack on Transport for London that cost an estimated £29 million and threatened up to £56 billion in "catastrophic damage." Thalha Jubair, 20, and Owen Flowers, 18, operated as core members of the notorious Scattered Spider hacking group, a collective responsible for a spate of high-profile breaches against global corporations. Their conviction and the detailed revelations about their crypto-fuelled criminal lifestyle provide a chilling case study in the evolving threat landscape, blending sophisticated social engineering, massive ransomware extortion, and the tracing of digital currency to bring perpetrators to justice.
Cryptocurrency was the lifeblood of their operations: court records revealed that $200 million in digital assets had passed through accounts linked to Jubair, while Flowers controlled wallets holding $7.1 million.
The attack on TfL was a four-day onslaught that could have "shut down TfL completely," according to court testimony. The transport authority’s security teams narrowly averted total paralysis by disconnecting the network before the hackers could inflict irreversible harm. The potential £56 billion loss underscores the fragility of critical national infrastructure when pitted against determined, albeit young, threat actors. The pair’s motivation, as Judge Mark Turner noted, was "selfish bravado, heedless of the severe consequences to others," a mindset alarmingly common among a generation of cybercriminals who see hacking as a route to notoriety and easy wealth.
Jubair’s involvement extended far beyond the TfL incident. US prosecutors have charged him in New Jersey with extorting at least £87 million from 47 American companies between 2022 and 2025, marking him as a serial cyber extortionist. The Scattered Spider network, to which both belonged, is linked to attacks on Jaguar Land Rover (costing £1.9 billion), Marks & Spencer (£300 million), Harrods, and the Co-op (with £206 million in losses). These staggering figures illustrate the group’s ability to target sectors ranging from luxury retail to automotive and food supply, often using a blend of phishing, social engineering, and ransomware deployment. Cryptocurrency was the lifeblood of their operations: court records revealed that $200 million in digital assets had passed through accounts linked to Jubair, while Flowers controlled wallets holding $7.1 million.
Ironically, it was the mundane spending of those crypto gains that led to Jubair’s downfall. The FBI traced a £27 million haul from a ransom payment to a cryptocurrency wallet that Jubair then used to purchase food delivery vouchers. By following the digital breadcrumbs from the takeaway orders to his home address—a flat in a 22-storey tower where he lived with his parents—agents unmasked the then-17-year-old autistic loner. This breakthrough highlights the increasing effectiveness of blockchain analysis in piercing the anonymity once thought impenetrable. Despite misdirection attempts, such as moving $10 million from wallets after Jubair’s release from custody in March 2025, law enforcement’s ability to track the flow of illicit funds proved decisive.
What to Watch
The human dimension of the case is equally striking. Both hackers were socially isolated, with Jubair described as autistic and living with his parents, while Flowers was barely an adult at the time of the offences. Their profiles align with a worrying trend in cybercrime: teenagers with technical aptitude, psychological vulnerabilities, and a disconnect from societal norms who are lured into online criminal ecosystems. Scattered Spider itself is known for aggressively recruiting young, English-speaking talent through online forums, leveraging their ability to convincingly impersonate IT support and manipulate employees into granting access.
For the cybersecurity industry, the TfL attack and the Scattered Spider saga underscore several critical priorities. First, social engineering—not zero-day exploits—remains the primary entry vector for even highly damaging breaches, demanding continuous investment in human-layer defenses and staff training. Second, the case proves that international cooperation, particularly between the UK’s National Crime Agency and the FBI, is essential to dismantle cross-border cyber gangs. Third, the vast sums involved highlight the need for more robust crypto-asset tracing and tighter know-your-customer enforcement at exchanges. Jubair now faces extradition to the US, where the charges are graver and the potential sentences far longer, signaling that no bedroom hacker is beyond the long arm of multinational justice. As the digital and physical worlds converge, the sentencing serves as both a warning and a blueprint for future prosecutions.
Timeline
Timeline
Four-day cyber attack on Transport for London
Jubair and Flowers launch an attack threatening £56 billion in damage; TfL pulls the plug to prevent total shutdown.
Jubair released from custody
After being released in March 2025, $10 million (£7.5 million) is moved from cryptocurrency wallets linked to Jubair.
Sentencing at Woolwich Crown Court
Judge Mark Turner sentences both hackers to 5 years and 6 months in prison; Jubair faces potential extradition to the US.
Sources
Sources
Based on 1 source articleCite This Page
"Scattered Spider teens jailed 5.5 years for £29M TfL attack – extradition looms." Cyber Intelligence Brief, July 17, 2026. https://getcyberbrief.com/story/scattered-spider-teens-jailed-tfl-29m-extradition
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |