Two men, named as Owen Flowers and Thalha Jubair, have today appeared before Westminster Magistrate’s Court in connection with a 2024 cyber attack on Transport for London (TfL), after being arrested by the National Crime Agency (NCA) and City of London Police on 16 September 2025.
Flowers, of Walsall in the West Midlands, was arrested and questioned over the cyber attack on TfL in September 2024, but as he was a minor at the time, his identity could not be officially revealed.
The attack on TfL, attributed to the Scattered Spider hacking collective, did not stop core public transit services such as the London Underground from running. However, it did cause significant disruption to some technical services, including third-party application programming interfaces used by the likes of Citymapper, and logins for contactless and Oyster payment accounts.
The incident has cost TfL well over £30m to date, with at least £5m of that total spent on response, investigation and remediation.
Paul Foster, NCA deputy director and head of the National Cyber Crime Unit, described the charges as a key step in a lengthy and complex investigation. “This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure,” he said.
“Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example,” said Foster.
“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice.”
Transparency praised
Foster went on to praise TfL for working transparently with the investigation, and remarked that the arrests demonstrated what law enforcement is able to achieve when victims are empowered to come forward and report incidents.
Hannah von Dadelszen, chief crown prosecutor for the Crown Prosecution Service (CPS), added: “The Crown Prosecution Service has decided to prosecute Thalha Jubair and Owen Flowers with computer misuse and fraud related charges – following a National Crime Agency investigation into a cyber attack on the Transport for London network.
“Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings,” she said. “We have worked closely with the National Crime Agency as they carried out their investigation.”
Flowers, aged 18, is charged with three counts of conspiracy to commit an unauthorised act in relation to a computer causing and/or creating risk of serious damage to human welfare and/or national security under the Computer Misuse Act (CMA) of 1990.
One of these counts relates to the TfL incident, the other two relate to offences against two targets in the US, SSM Health Care Corporation and Sutter Health.
Jubair, aged 19, of Tower Hamlets in London, is also charged with conspiracy to commit an unauthorised act in relation to a computer causing and/or creating risk of serious damage to human welfare and/or national security, but only in relation to the TfL attack.
He faces an additional charge of failure to comply with a Section 49 notice issued under the Regulation of Investigatory Powers Act (RIPA) of 2000, for failing to turn over the PIN or passwords to devices seized from him as part of the investigation.
Scattered Spider connections
The arrests of Flowers and Jubair come two months after four as-yet unnamed people were arrested in connection with the Scattered Spider attacks on UK retailers. As was the case then, the NCA is again somewhat limited in the amount of detail it is able to provide at this stage of the legal process.
However, agency staff did confirm their strong belief that both Flowers and Jubair are involved in the Scattered Spider cyber crime collective, although they urged against speculation on any link to the group’s other activities at this stage.
Computer Weekly understands Flowers and Jubair have been on the radar of law enforcement for some time, and both men have been publicly identified and linked to various other Scattered Spider and Lapsus$ cyber attacks in the past.
