Owen Flowers18, and Thalha ZubairThe 20 were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London.
The attack disabled 148 TfL systems and forced all of the transport authority’s 27,000 staff into an office to reset their passwords in person. Both the NCA and CPS have estimated TfL’s losses and recovery costs at £29 million.
Both pleaded guilty on June 22, 2026, the day their trial was scheduled to begin. The charge was section 3ZA of the Computer Misuse Act 1990, the most serious of the Act, and he pleaded guilty to it on the basis that he was reckless as to whether he posed a significant risk of causing serious harm to human welfare.
The CPS says Flowers and Zubair are believed to be the first hackers to be successfully prosecuted under section 3ZA. The NCA considers this case to be only the second prosecution of its kind. The two readings may sit side by side, one counting prosecutions brought under the section and the other counting those that ended in conviction, but neither agency explains the difference.
The NCA described it as the largest cyber crime prosecution seen in UK courts.
The infiltration lasted from 31 August to 3 September 2024. TfL oversees an average of 9 million journeys a day. Dial-a-Ride, the booking service that shuttled vulnerable Londoners around the city, closed down, along with digital payment channels and the issuance of concessional travel cards.
Applications for the Oyster Photocard, London’s concessional fare card for children and young people, have closed. Expansion of contactless ticketing slipped and refunds delayed.
TfL told customers that the names and email addresses, as well as the home address where he kept them, had been obtained. Oyster refund data may also have been gone, including bank account numbers and sort codes of about 5,000 people.
CPS says only the two of them knew what they meant with the access, though their chats suggest they would erase the access as soon as they left. This is where the biggest numbers come from: the NCA says a successful shutdown of the network could cost the UK economy up to £56 billion, and the CPS puts the same hypothetical estimate in the billions. The CPS says this remained imaginary, as TfL had closed its network to stop them.
Flowers was arrested at home on September 6, 2024, three days after the TfL intrusion ended, and the NCA says officers found him in the midst of attacks on two US healthcare organizations, SSM Health Care Corporation and Sutter Health.
Investigators seized laptops, tower computers, hard drives and USB sticks. A laptop contained a screenshot of network connectivity to TfL infrastructure, as well as video that Flowers had recorded of Zubair walking through the TfL system during the attack. The pair were messaging on Telegram and sharing an online workspace when the incident occurred.
Prosecutors proved that Flowers was connected to the remote servers used to launch all three intrusions, and that his own devices linked him to all three. Information linking Zubair to TFL was exposed abroad, which was obtained with the help of prosecutors there.
Flowers pleaded guilty to two more charges over the health care attacks, a conspiracy against SSM Health and an attempt against Sutter Health. CPS says he threatened to shut off those systems, admitting in the chat that it “could have resulted in the death of a nearly 90-year-old man who was on life support.” Only arrest stopped him.
The NCA has described both men as key members of the Scattered Spiders, an extortion crew that has also been tracked down as Octo Tempest, UNC3944 and 0ktapus. The CPS is more cautious, saying the defendants have at various points claimed to be members of a group that prosecutors believe has carried out hundreds of attacks between 2022 and 2025.
The FBI, cited in the NCA announcement, links the group to data extortion, SIM swapping and social engineering.
Zubair’s second case is still open
A complaint filed in New Jersey in September 2025 accuses Zubair of computer fraud, wire fraud and money laundering conspiracies. The complaint implicates approximately 120 network intrusions and at least 47 US victims under the scheme between May 2022 and September 2025, with more than $115 million in ransom payments.
Prosecutors also accused him of infiltrating a U.S. critical infrastructure company and U.S. courts, and alleged that he withdrew approximately $8.4 million in cryptocurrency from a server wallet while agents were seizing it. Those are allegations that have not been tested in court. The maximum in all cases is 95 years. Neither the DOJ’s announcement nor Thursday’s UK release of the extradition address.
Is the Scattered Spider gone?
The NCA says its action against the two men effectively stopped the group, and cites Microsoft’s assessment that the arrests have substantially reduced the group’s operational capacity. Additionally, it allows that other criminals can continue to use the brand.
Scattered Spiders isn’t the only brand that’s surviving. In January, Mandiant tracked the expansion of a ShinyHunters-branded extortion running the same kind of social engineering: phishing calls to employees, victim-branded credential harvesting pages to capture SSO logins and MFA codes, then enrolling the attacker’s own device for MFA.
Neither the NCA nor the CPS written release explained how Flowers and Zubair came to TfL in the first place. Google’s strict guidance from the same research puts the fix in one place: Verify identity upon password reset, device enrollment, and MFA changes, all in manual workflows these employees call up and talk their way out of.
Paul Foster, who heads the NCA’s national cyber crime unit, wants one thing for everyone else: call law enforcement quickly. He says that if TfL had not existed these punishments probably would not have happened.
The City of London Police used the sentence to assert power it did not have. Cyber crime risk orders will allow the court to restrict a person’s devices, online services and technologies in proportion to their risk.
Commander Ollie Shaw introduces them as a “digital prison” for criminals. So the toolkit is what it was: a prison sentence, this time handed down to two people who were 17 and 18 when they did this.