Cyber-Crime Shock: Teens Linked to Major TfL Hack Known to Police for Years

Alex Turner, Technology Editor
5 Min Read
⏱️ 4 min read

In a startling revelation, two young men have been convicted for their roles in a cyber-attack that severely disrupted Transport for London (TfL) services in 2024. Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, both had extensive histories of cyber offences and were already on the radar of law enforcement before the attack occurred. Their guilty pleas on Monday underscore both the escalating threat of cyber-crime and the challenges authorities face in preventing young offenders from reoffending.

Long Histories of Cyber Offending

The case of Flowers and Jubair has raised significant questions about the effectiveness of interventions aimed at young cyber-criminals. Both were known to police long before the TfL breach, which not only crippled public transport but also compromised the personal data of millions. With all 28,000 TfL employees forced to reset their passwords in person, the ramifications of their actions were extensive.

Flowers first caught the attention of police shortly after turning 16 in October 2023 when he was apprehended for low-level cyber activities. Despite being issued a cease and desist order, he failed to engage with officers, and subsequent opportunities for intervention went unrealised. Just months later, he became involved with the Scattered Spider cyber-crime group, escalating his activities to include the TfL attack.

The Role of Scattered Spider

Both offenders were part of a loosely connected group known as Scattered Spider, implicated in numerous cyber incursions against various institutions, including high-profile retailers like Marks and Spencer and Co-op. This collective has been gaining notoriety for its brazen operations and technical prowess, raising alarms about the future of cyber-security.

NCA deputy director Paul Foster, who heads the National Cyber Crime Unit, emphasised the urgent need for stronger legal measures to tackle such offenders. He advocated for Cyber Crime Risk Orders (CCROs), proposed reforms that would empower authorities to impose restrictions on individuals deemed high-risk, enabling proactive interventions before further crimes are committed.

A Troubling Pattern of Offending

Flowers’ arrest on 16 September 2024 followed a thorough investigation triggered by the TfL attack, which commenced on 31 August. The authorities seized an impressive array of digital devices from his home, revealing cryptocurrency holdings valued in the millions. Investigators also discovered links to compromised systems of two US healthcare organisations, SSM Health and Sutter Health, further complicating the picture. Flowers is still wanted in the US for his alleged involvement in these breaches.

Jubair, too, has a long history of cyber-related offences, having received a Youth Rehabilitation Order in 2023 for crimes associated with the notorious Lapsus$ hacking group. His record includes 22 previous convictions, and he began his illegal activities at just 14 years old. Jubair is currently wanted in the US for crimes that reportedly netted around $87 million (£66.1 million) from unsuspecting victims.

The Human Factor

Both Flowers and Jubair have been diagnosed with autism, and the court was informed that Jubair suffers from depression and severe mood disorders. This raises important discussions about the intersection of mental health and cyber-crime, particularly among young offenders. Experts, including Prof Peter Sommer, have pointed out the need for more robust deterrents, arguing that these individuals often fail to grasp the real-world implications of their actions, resulting in significant harm to victims.

Why it Matters

The convictions of Flowers and Jubair serve as a stark reminder of the growing threat posed by young cyber-criminals and the limitations of current interventions. As cyber-attacks become increasingly sophisticated, it is essential for authorities to reassess their strategies and implement stronger measures to deter future offences. The consequences of cyber-crime ripple far beyond the immediate damage, impacting the lives of countless individuals and organisations. As we navigate this complex landscape, it is imperative that society prioritises education, prevention, and effective legal frameworks to combat this evolving threat.

Share This Article
Alex Turner has covered the technology industry for over a decade, specializing in artificial intelligence, cybersecurity, and Big Tech regulation. A former software engineer turned journalist, he brings technical depth to his reporting and has broken major stories on data privacy and platform accountability. His work has been cited by parliamentary committees and featured in documentaries on digital rights.
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2026 The Update Desk. All rights reserved.
Terms of Service Privacy Policy