The two young men who have admitted hacking Transport for London (TfL) in 2024 were already known to police before the breach, according to investigators — a detail that has sharpened questions about how authorities deal with teenagers heading toward serious cybercrime.
An attack that hit a capital's transport
The intrusion into TfL's computer systems began on August 31, 2024, and continued for several days. Trains kept running, but behind the scenes the disruption was severe: all of TfL's roughly 28,000 staff had to attend in person to reset passwords, the Oyster card refund system and the young person's photocard service were knocked offline, and some customer data — including bank details for around 5,000 people tied to refunds — was accessed, the National Crime Agency said. The fallout lasted months and cost TfL at least £29 million, with some estimates higher.
Who was responsible
On June 22, 2026, two men pleaded guilty at Woolwich Crown Court: Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall — both teenagers at the time of the attack, Computer Weekly reported. The NCA identified both as members of Scattered Spider, a loosely organized, mostly English-speaking online criminal network linked to a string of major breaches since 2022.
Flowers was first arrested days after the attack and released on bail; investigators said examination of his devices pointed to further offending, including against US healthcare companies. Jubair faces separate, sweeping charges in the United States. Both men, according to Computer Weekly, had been "on the radar of law enforcement for some time" before their arrests. Sentencing is scheduled for mid-July.
The warning signs
That the perpetrators were not unknown to investigators highlights a recurring difficulty: agencies often gather intelligence on young people moving through hacking communities well before a major incident, but struggle to intervene early.
Security researchers say notoriety, rather than money alone, motivates many young recruits. Anna Chung of Palo Alto Networks, quoted by IT Pro, said young people "don't usually turn to online mischief out of malice — it's often down to a mixture of boredom, technical skills, and a lack of boundaries." The NCA has previously estimated that a notable share of British children engage in behavior that technically breaches the Computer Misuse Act, a pool from which groups like Scattered Spider recruit.
A wider pattern
The NCA's deputy director for cyber, Paul Foster, called the case the result of a "lengthy, highly complex, and painstaking investigation," adding that the breach "shows it has real-world consequences and impacts hugely on the public." He pointed to a rising threat from young, English-speaking cybercriminals.
The TfL case is not isolated. Over the past few years, teenagers and young adults in Britain, the US and Canada have been implicated in breaches affecting casinos, major retailers and hospitals; in July 2025 the NCA arrested four more suspected Scattered Spider members over attacks on UK retailers, one of them 17. The sharpest question the TfL case poses is less about punishment than prevention: if police can spot young people drifting toward criminal hacking years in advance, what should be done to redirect them? As of now, no dedicated national diversion program for this group has been announced.



