Teens Behind 2024 TfL Cyber-Attack Were Known to Police Years Earlier

Two young men with prior cyber-offending histories pleaded guilty to the 2024 TfL cyber-attack that disrupted services and compromised millions of data records.

Background and Guilty Pleas

Owen Flowers (left) and Thalha Jubair pleaded guilty on the first day of their trial

Two young men convicted of the 2024 cyber-attack that severely disrupted Transport for London (TfL) services had extensive prior histories of cyber-offending and were known to law enforcement agencies for several years, the BBC has learned.

Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, admitted their involvement on Monday.

The breach caused months of disruption to TfL operations, compromised the personal data of millions of individuals, and forced all 28,000 TfL employees to reset their passwords in person.

Authorities had made repeated efforts to prevent Flowers and Jubair from continuing their cyber-criminal activities, raising questions about the effectiveness of such interventions with young offenders in this domain.

Experts have indicated to the BBC that the case exemplifies how cyber-attack perpetrators often lack awareness of the real-world consequences of their actions.

The National Crime Agency (NCA) emphasized that the case underscores the necessity for enhanced powers for its officers.

Court sketch of two men with long hair and glasses. One has a white tshirt on and the other is wearing a dark jacket — Image caption, Flowers (left) and Thalha Jubair pleaded guilty in court on Monday

Cease and Desist Order

During the trial, it was revealed that Flowers and Jubair were members of the cyber-crime group Scattered Spider.

This loosely organized collective of young English-speaking cyber-criminals has been linked to numerous other cyber-attacks, including those targeting retailers Marks and Spencer and the Co-op.

Flowers first came to police attention shortly after turning 16 years old.

In October 2023, he was apprehended for low-level cyber-criminal activity and subsequently visited by officers from the West Midlands Regional Cyber Crime Unit's prevention team.

Police reported that Flowers did not cooperate during the visit and was issued a cease and desist order intended to deter further offending.

Although police had the option to refer him to the national Cyber Choices programme, which aims to divert young people from cyber-crime, Flowers was already under investigation for another offence and was unwilling to engage with officers, leading to a decision that he was unsuitable for the programme.

Within months, while residing with his grandmother, Flowers escalated his cyber-criminal activities as part of Scattered Spider, culminating in the TfL cyber-attack.

NCA deputy director Paul Foster, who leads the National Cyber Crime Unit, stated that the case highlights the challenges posed by a small number of highly skilled offenders.

"They don't seem to understand the consequences and there are real victims here losing their life savings in some case as well as corporations and their staff that are badly impacted," Foster said.

He advocated for stronger legal measures, such as the proposed Cyber Crime Risk Orders (CCROs), to address such cases.

CCROs, announced by the UK government as part of planned reforms to the Computer Misuse Act, would enable police and courts to impose restrictions on individuals deemed high risk before they commit further serious cyber offences.

"They would enable earlier law enforcement interventions against high-risk cyber-crime offenders," Foster explained.

Arrest and Seizure of Assets

Flowers was arrested on 16 September 2024 in connection with the TfL attack, which began on 31 August.

During the arrest raid, investigators confiscated multiple electronic devices from his bedroom, including laptops, desktop computers, hard drives, and USB storage devices.

Authorities reportedly discovered cryptocurrency assets valued at millions of pounds.

Further investigation by the NCA revealed that computer systems of two US healthcare organizations, SSM Health and Sutter Health, had also been compromised and damaged.

Flowers later pleaded guilty to offences related to these hacks and remains wanted by US authorities.

After being charged, Flowers was released on bail under strict conditions but violated these conditions twice, in March 2025 and May 2025.

Co-Defendant's Background

Jubair, Flowers' co-defendant, had also been known to police for several years.

In 2023, while still a juvenile, Jubair received a Youth Rehabilitation Order for cyber offences connected to the Lapsus$ hacking group, which targeted major companies including Nvidia and BT/EE.

Due to his age at the time, his identity was not publicly disclosed.

Jubair has a total of 22 previous convictions and began offending at age 14.

He is also wanted in the US for cyber-crimes allegedly involving theft and extortion of $87 million (£66.1 million) from victims.

Upcoming Sentencing and Expert Commentary

Flowers and Jubair are scheduled to be sentenced for the TfL hack on 16 July.

An expert witness who previously testified in the Lapsus$ case involving Jubair emphasized the need for stronger deterrents against prolific young cyber criminals.

"You have people who have already been caught and know they are in trouble with the law but carry out more crimes even under surveillance," Prof Peter Sommer said.

"They don't seem to understand the consequences and there are real victims here losing their life savings in some case as well as corporations and their staff that are badly impacted," he added.

Both Jubair and Flowers have been diagnosed with autism, and the court heard that Jubair suffers from depression and a severe mood disorder.