Teenagers behind massive TfL hack ‘posed £56,000,000,000 threat to UK economy’

Teenagers behind massive TfL hack 'posed £56,000,000,000 threat to UK economy'
Thalha Jubair, now 20, and Owen Flowers, 18, carried out the ‘extremely serious hack’ on TfL’s online network between August 31 and September 3, 2024 (Picture: PA)

Two teenage hackers could have ‘shut down Transport for London (TfL) completely’ in a cyber attack that cost the network £29 million.

Thalha Jubair, now 20, and Owen Flowers, 18, carried out the ‘extremely serious hack’ on TfL’s online network between August 31 and September 3, 2024.

The pair – tied to a group known as Scattered Spider – worked through the night for 16 hours to access the network after tricking the helpdesk into resetting a password for them.

They then began ‘using TfL’s own systems to hack itself’ as they continued to infiltrate deeper and deeper – eventually obtaining the ‘highest privileged access’, known as ‘the keys to the kingdom’.

Mark Fenhalls KC, prosecuting, told Woolwich Crown Court this gave them ‘total control over the network’ and would have enabled them to place ransomware throughout the entire system.

Sign up for all of the latest stories

Start your day informed with Metro’s News Updates newsletter or get Breaking News alerts the moment it happens.

Had they encrypted or destroyed the central TfL system there could have been a ‘potential consequential loss of £56 billion to the UK economy’, he added.

A TfL victim impact statement read out in court said: ‘It is possible that access could have been sufficient to enable the actor to cause catastrophic damage to many technology systems, which would have led to significant and extended transport service degradation and disruption.

‘Such widespread disruption would have had a serious impact on the travelling public, including for those accessing education, healthcare and other essential services, and London’s economy.’

TfL feared the hack could be catastrophic and ‘pulled the plug’ on their whole system.

It resulted in every single one of its more than 27,000 employees having to come into the office to reset their passwords.

Jubair and Flowers both admitted conspiracy to commit unauthorised acts in relation to a computer causing or creating risk of serious damage.

Flowers also admitted two counts of conspiracy to commit unauthorised acts in relation to a computer with intent to impair, in relation to the healthcare systems.
They will be sentenced on Thursday.

Undated handout file photo originally issued on 22/06/26 by National Crime Agency of Thalha Jubair , one of two young members of a criminal hacking group who carried out a cyber attack on Transport for London (TfL) that cost the organisation millions of pounds that are facing jail. Jubair, 20, and Owen Flowers, 18, hacked TfL's online network, resulting in a ?39 million loss, prosecutors previously said. Issue date: Wednesday July 15, 2026. PA Photo. Photo credit should read: NCA/PA Wire NOTE TO EDITORS: This handout photo may only be used for editorial reporting purposes for the contemporaneous illustration of events, things or the people in the image or facts mentioned in the caption. Reuse of the picture may require further permission from the copyright holder.
Thalha Jubair , one of two young members of a criminal hacking group who carried out a cyber attack on Transport for London (TfL) (Picture: NCA/PA)
Undated handout file photo originally issued on 22/06/26 by National Crime Agency of Owen Flowers, one of two young members of a criminal hacking group who carried out a cyber attack on Transport for London (TfL) that cost the organisation millions of pounds that are facing jail. Thalha Jubair, 20, and Flowers, 18, hacked TfL's online network, resulting in a ?39 million loss, prosecutors previously said. Issue date: Wednesday July 15, 2026. PA Photo. Photo credit should read: NCA/PA Wire NOTE TO EDITORS: This handout photo may only be used for editorial reporting purposes for the contemporaneous illustration of events, things or the people in the image or facts mentioned in the caption. Reuse of the picture may require further permission from the copyright holder.
Owen Flowers was also linked to a group known as Scattered Spider (Picture: NCA/PA)

Mr Fenhalls said: ‘These two young men are highly skilled with computers and capable of wreaking havoc and you may think wholly indifferent to the consequences for the public and the potential suffering and costs to others.’

Flowers livestreamed Jubair as he conducted the hack, and some of the videos were recovered when he was arrested three days later on September 6.

The pair were in constant contact during the attack and spoke about ‘nuking access’ to the servers on their way out.

Mr Fenhalls said: ‘They were utterly reckless about the consequences of hacking TfL, the transport network and the communications for the country.
‘It only came to an end because TfL threw them out rather than they chose to stop.’

Together they used remote servers to conceal the origin of the attack, created virtual machines within the TfL system to destroy evidence of the attack, downloaded millions of lines of data from their systems, and created multiple back doors within TfL’s system, the court heard.

The prosecution underlined a potential loss of billions to the UK if the hackers had locked or destroyed the central TfL system.

‘This is hacking of the most serious sort with the ability to do remarkable levels of damage,’ said Mr Fenhalls.

Defending Jubair, Paul Keleher KC compared his client to a ‘modern day Oliver Twist’ who had been groomed from a young age to use his skills for hacking.

He said: ‘They recruited young children to use their nimble fingers and nimble feet to steal from people.’

Mr Justice Turner said: ‘There’s no Fagin in this case, it’s a Faginless crime.’

The judge added: ‘He has an audience but he doesn’t have a puppet master, he’s promoted himself to an instigator and perpetrator.’

Jubair was sentenced last year for 22 offences including hacks on individuals, telecoms businesses and the City of London Police system.

On behalf of Flowers, who was 17 when he conducted the hack, Adam Davis KC described his client as an ‘immature child trying to show off online’.

When Flowers was arrested in September 2024, his laptop was found in the process of hacking two US healthcare systems.

Those hacks were only stopped because of the ‘fortuitous timing’ of his arrest, the court heard.

The defendants were both placed on remand just over a year after the hack took place in September 2025.

Flowers managed to purchase ‘unlawful phones’ in prison and search for logins to the Ministry of Justice, HMP Wandsworth staff, and the CPS, the court heard.

Mr Fenhalls said: ‘Whilst in prison Flowers has used online tools used for purchase of breached credentials. It also indicates attempts to access multiple government domains.’

Both men admitted conspiracy to commit unauthorised acts in relation to a computer causing or creating risk of serious damage.

Flowers also admitted two counts of conspiracy to commit unauthorised acts in relation to a computer with intent to impair, in relation to the healthcare systems.

Get in touch with our news team by emailing us at webnews@metro.co.uk.

For more stories like this, check our news page.

(Visited 2 times, 2 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *