Teens Behind TfL Cyber-Attack Had Long History of Offenses

Teens who hacked TfL were known – The cyber-attack that paralyzed Transport for London (TfL) in early 2024 was carried out by two young men who had already been flagged by law enforcement for repeated digital crimes. Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, were found guilty during their trial’s opening day, according to the BBC. The breach, which disrupted public transport services for months, compromised the personal data of millions and forced all 28,000 TfL employees to manually reset their passwords. This incident underscores how the actions of a small group of skilled hackers can have far-reaching consequences, prompting calls for stronger legal measures to address cybercrime.

Authorities’ Efforts to Intervene

The BBC has uncovered that both Flowers and Jubair had longstanding ties to cyber-offending, with police monitoring their activities years before the TfL attack. Despite multiple attempts to curb their behavior, these interventions seemed to fall short. Flowers, for instance, was first noticed by authorities shortly after his 16th birthday, when he was apprehended for minor cybercrimes in October 2023. During the encounter, officers from the West Midlands Regional Cyber Crime Unit issued him a cease-and-desist order, aiming to prevent further offenses. They also considered enrolling him in the national Cyber Choices programme, designed to guide young people away from digital crimes, but he was deemed unsuitable due to his reluctance to cooperate.

Meanwhile, Jubair had a documented history of cyber-related charges, including a Youth Rehabilitation Order in 2023 for offenses tied to the Lapsus$ hacking group. At the time, he was still a minor, so his identity couldn’t be publicly disclosed. This group targeted major corporations such as Nvidia and BT/EE, highlighting the scale of the threat posed by young cybercriminals. Jubair’s case is notable for his 22 previous convictions, which began as early as age 14. His involvement in the Scattered Spider, a loosely connected gang of English-speaking hackers, further links him to a series of significant cyberattacks, including those on Marks and Spencer and the Co-op.

Scattered Spider: A Network of Young Hackers

The Scattered Spider, a collective of young English-speaking cybercriminals, has been implicated in numerous attacks beyond the TfL breach. These include breaches of major retailers, demonstrating the gang’s growing influence and technical prowess. However, the attack on TfL in 2024 marked a pivotal moment in their operations. The incident began on 31 August and continued until 16 September, when Flowers was arrested. During the raid, investigators seized multiple devices from his home, including laptops, desktops, hard drives, and USB sticks. These items were later found to contain cryptocurrency worth millions of pounds, suggesting the extent of their financial gains from the breach.

Further evidence uncovered by the National Crime Agency (NCA) revealed that the hackers had also infiltrated systems of two U.S. healthcare organizations, SSM Health and Sutter Health. The damage to these systems, coupled with the TfL breach, illustrates the global reach of the Scattered Spider’s activities. Flowers, who later pleaded guilty to these U.S.-related offenses, remains wanted in the country. The NCA emphasizes that such attacks often involve individuals who underestimate the real-world impact of their actions, a theme that resonates through this case.

Call for Legal Reforms

Paul Foster, deputy director of the NCA’s National Cyber Crime Unit, highlighted the challenges of addressing high-risk cybercriminals with current measures. He argued that the case demonstrates the need for additional legal tools to tackle offenders who are “highly capable” but evade early intervention. The proposed Cyber Crime Risk Orders (CCROs), part of the UK government’s reforms to the Computer Misuse Act, aim to grant police and courts the authority to impose restrictions on individuals deemed a threat before they commit serious breaches. Foster stated that these orders would “enable earlier law enforcement interventions against high-risk cyber-crime offenders,” a crucial step in preventing future attacks.

Flowers, after being charged, was released on bail with strict conditions. However, he breached these twice—in March and May 2025—before facing the full consequences of his actions. Jubair, too, had a history of violating terms, with his case linked to alleged cybercrimes that stole and extorted $87 million from victims. This underscores the persistent challenges in managing young offenders who repeatedly disregard legal safeguards. The case has sparked debate among experts about whether existing programs are sufficient to deter such individuals.

Broader Implications for Cybercrime Prevention

A former expert witness who testified in the Lapsus$ case involving Jubair echoed Foster’s concerns. They noted that the incident highlights the necessity of stronger deterrents for prolific young hackers. “You have people who have already shown a pattern of behavior but still manage to escalate their actions,” the expert explained. This sentiment aligns with the broader issue of how law enforcement agencies can effectively address cybercriminals who operate in the shadows, often unnoticed until their attacks cause significant damage.

The TfL attack serves as a stark reminder of the vulnerabilities in digital infrastructure and the potential for young hackers to exploit them. While the NCA and other agencies have taken steps to monitor and intervene, the case raises questions about the adequacy of current strategies. Flowers and Jubair’s conviction, combined with their prior offenses, suggests a need for more proactive measures, such as increased surveillance or mandatory enrollment in rehabilitation programmes, to address the root causes of cybercrime among youth.

The pair is set to be sentenced on 16 July for their role in the TfL breach. Their sentences will likely reflect the severity of the attack, which disrupted daily commutes for thousands and exposed sensitive data to potential misuse. As the NCA pushes for reforms, the case may serve as a catalyst for stricter regulations and enhanced powers to combat cybercrime at its earliest stages. For now, Flowers and Jubair’s story stands as a cautionary tale about the consequences of unchecked digital offenses and the importance of timely intervention in preventing large-scale cyberattacks.

“You have people who have already shown a pattern of behavior but still manage to escalate their actions,” said an expert witness who previously testified in the Lapsus$ case involving Jubair.

The incident also underscores the global nature of cybercrime, with hackers operating across borders and targeting both domestic and international organizations. The NCA’s ongoing investigation into the Scattered Spider has uncovered evidence of their involvement in multiple breaches, suggesting a coordinated effort to exploit digital weaknesses. As the UK government continues to refine its legal frameworks, the case may influence future policies aimed at preventing similar incidents. However, for now, the focus remains on the consequences of the TfL hack and the individuals responsible for it.

In summary, the conviction of Flowers and Jubair marks a significant moment in the UK’s fight against cybercrime. Their histories of offenses, coupled with the scale of the TfL attack, reveal a pattern of behavior that challenges current intervention methods. Experts and law enforcement officials alike agree that the case highlights the urgent need for stronger legal mechanisms to address high-risk offenders before they cause widespread damage. As the pair prepares for sentencing, their story serves as a powerful reminder of the impact of cybercrime and the importance of proactive measures in safeguarding digital systems.