Two British hackers have been sentenced to five and a half years in prison each for carrying out a major cyberattack on London’s public transport network in 2024. The attack disrupted Transport for London (TfL) services and resulted in recovery costs of approximately ยฃ29 million ($39.16 million).
The case has drawn significant attention because of the scale of the cyberattack and the extensive damage caused to one of the United Kingdom’s largest public transport systems.
Hackers Admitted Targeting Transport for London
Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to hacking Transport for London during a cyberattack carried out between August 31 and September 3, 2024.
According to court proceedings, the pair worked for up to 16 hours a day while carrying out the operation. Jubair conducted the attack from his parents’ apartment in east London. Meanwhile, Flowers operated from his grandmother’s home in central England.
Investigators revealed that Jubair livestreamed the hacking operation while Flowers watched the broadcast. The recorded video, later recovered from Flowers’ laptop, became an important piece of evidence during the investigation.
Cyberattack Could Have Caused Greater Damage
Prosecutors told the court that the hackers had the capability to completely shut down Transport for London.
However, authorities managed to stop the attack after disconnecting the organization’s computer systems. Even so, restoring the damaged systems took approximately six months.
The lengthy recovery process highlighted the serious impact cyberattacks can have on critical public infrastructure.
Additional Cybercrime Charges
Court proceedings also revealed that Flowers admitted conspiring with others to target two non-profit healthcare systems in the United States only days after the London transport attack.
According to prosecutors, those attacks ended only because authorities arrested him while the criminal activity was still underway.
Investigators further stated that Flowers continued attempting cyber intrusions even after his arrest. Devices recovered during the investigation reportedly contained search terms and attempted access to domains linked to the Crown Prosecution Service and the prison where he was being held.
Judge Highlights Motive Behind the Attack
While sentencing both defendants to five and a half years in prison, Judge Mark Turner said he accepted they were “primarily motivated by selfish bravado”.
The court noted that despite their young age, both individuals possessed advanced technical abilities that enabled them to launch sophisticated cyberattacks.
Links to ‘Scattered Spider’ Examined
British authorities had previously linked the Transport for London cyberattack to the hacking collective known as “Scattered Spider”.
During the proceedings, prosecutors explained that the term was originally coined by a cybersecurity company. They added that it represents a pattern of hacking behavior rather than a formally structured organization.
Although Jubair and Flowers acknowledged having links with the group, prosecutors focused on their direct involvement in the attack.
Previous Convictions Revealed
The court also heard details of Jubair’s previous criminal record. He was convicted in 2023 for hacking and blackmailing chipmaker Nvidia as part of the Lapsus$ hacking group.
In addition, he received a sentence for stalking two young women. One incident involved “swatting”, where he allegedly attempted to send armed police officers to one victim’s home.
Case Highlights Growing Cybersecurity Threat
The case demonstrates the growing risks posed by highly skilled cybercriminals targeting essential public services. It also highlights the financial and operational consequences such attacks can create for critical infrastructure.
With cyber threats becoming increasingly sophisticated, authorities continue to emphasize the importance of stronger digital security measures and swift law enforcement action against cybercrime.
