Intel471-Logo-white.png

Scattered Spider duo sentenced to prison over TfL hack

Jul 17, 2026

Thalha Jubair, 20, and Owen Flowers, 18, two lead members of the Scattered Spider intrusion cluster, have been sentenced to five and a half years in prison each after admitting to the 2024 cyberattack on Transport for London (TfL) that they carried out as teenagers. The National Crime Agency (NCA) called it the “UK’s biggest ever cyber crime case”.

The pair pleaded guilty on June 22, 2026 — the first day of what would have been a six‑week trial — to conspiring to commit unauthorized acts against TfL under the Computer Misuse Act (CMA). At sentencing at Woolwich Crown Court on July 16, 2026, the judge reduced the length of their sentences by 15% for the guilty pleas.

The attack on TfL ran between Aug. 31–Sept. 3, 2024, when Flowers was 17 and Jubair was 18. It cost TfL a reported 29 million pounds (about US $38 million) in losses and recovery, forced all of TfL's roughly 27,000 staff to reset passwords in person, and rendered 148 systems inoperable. Public-facing services were also disrupted.

The NCA said the prosecution is only the second of its kind in the UK under Section 3ZA of the CMA — the act's most serious provision, which applies where an unauthorized act causes, or creates a significant risk of, serious damage and the offender intends or is reckless as to that damage. Both defendants argued they were merely reckless. The NCA is nonetheless calling it the largest cyber crime prosecution ever brought before the UK courts, the culmination of nearly two years of work by the NCA, the Crown Prosecution Service and City of London Police, with support from the FBI.

Flowers, who was arrested in September 2024, admitted attempting to hack U.S. health care providers SSM Health Care Corp. and Sutter Health. Investigators say forensic evidence pulled from devices seized at his home — including a screenshot showing connectivity to TfL infrastructure and videos of the intrusion in progress — also exposed Jubair's involvement, with the pair coordinating over Telegram and a shared online workspace. Flowers breached bail twice in 2025 and was re‑arrested for breaching conditions related to his device usage. Jubair was separately charged with failing to disclose the PINs or passwords for devices seized from him.

Jubair faces much greater punishment across the Atlantic. In September 2025, the U.S. District Court for the District of New Jersey charged him with computer fraud, wire fraud and money laundering conspiracies tied to roughly 120 intrusions against 47 U.S. entities between May 2022 and September 2025, with victims paying at least US $115 million in ransoms. Prosecutors allege the targets included a U.S. critical infrastructure operator and the federal court system — where intruders accessed a magistrate judge's inbox and searched for "subpoena" and "scattered spider." Investigators seized about US $36 million in cryptocurrency from a server linked to Jubair, who allegedly moved roughly US $8.4 million out mid‑seizure. He faces decades in prison if convicted, and the prospect of extradition looms over any UK sentence.

The U.S. is pressing the wider group as well. On July 1, 2026, prosecutors announced that alleged Scattered Spider member Peter Stokes — a 19‑year‑old U.S.-Estonian dual national — had been arrested in Finland and extradited to Chicago to face conspiracy, computer intrusion and fraud charges.

Linking multiple underground personas

The New Jersey complaint attributes the handles EarthtoStar, Brad, Austin and @autistic to Jubair, linking him to a series of intrusions dating back to 2022. That timeline aligns with Intel 471's prior reporting on Jubair, whom we have connected to multiple personas and communities across the predominantly English-speaking underground. Our research connected Jubair to multiple groups and communities, some of which included:

  • A former Infinity Recursion member using the Everlynn handle.
  • A former LAPSUS$ member operating under the ASyntax and Amtrak handles.
  • Allegedly was the Doxbin administrator using the Operator persona.
  • One of the administrators of the Star Sanctuary Telegram community using the Earth2Star persona, a close variant of the EarthtoStar handle named in the U.S. complaint, which we assess corresponds to the same individual.

The cross-linking of these monikers across forums and Telegram channels, along with continuous OPSEC mistakes is part of what allowed investigators to stitch the activity back to one person.

Flowers previously was connected to the bo764, Holy and Nazi handles, and, according to cybersecurity reporter Brian Krebs, allegedly was involved in the intrusion and ransomware attacks that impacted MGM Resorts International in September 2023. Multiple leads derived from underground chats revealed entities possibly linked to Flowers, some of which included:

  • Telegram usernames @cupid, @jail, @wish, @holy, @vsphere, @bomb, @halo, @epic, @nazi, @vile, @cute and @vcenter.

Who or what is Scattered Spider?

Answering this first requires clarifying the different attribution methodologies, particularly understanding the nuances and definitions for individual threat actors, a threat group, a campaign and an intrusion cluster.

Over the past four years, Scattered Spider has emerged as one of the most prominent “threat groups” in operation, though its high-profile nature has generated a wave of loose attributions where almost any incident with similar characteristics was automatically credited to the “group”. Originally attributed as an intrusion cluster by CrowdStrike, this methodology prioritizes tracking shared behavioral patterns and overlapping victimology rather than identifying a group’s hierarchy or specific individuals. Depending on each company’s methodology it can also take into account underground insights, information from incident response engagements or other data sources. In general, the main element of attribution for an intrusion cluster is behavior, the so called tactics, techniques and procedures (TTPs).

Different security vendors track overlapping activity under distinct nomenclature:

  • CrowdStrike designates the cluster as Scattered Spider.
  • Microsoft tracks it as Octo Tempest.
  • Google Threat Intelligence Group (GTIG) tracks it as UNC3944.
  • Palo Alto Networks tracks it as Muddled Libra.

Each company has the intellectual property, methodology and telemetry to define what a threat cluster is but most of the time there’s limited information available in open source to clearly identify it. Intel 471 generally focuses on actor-centric tracking, however mapping the overlaps between individual actors and vendor-defined clusters remains a core part of our research. We’ve previously conducted extensive work to clarify the aforementioned “wave of loose attributions” we observed in open source and the structural differences between threat groups such as LAPSUS$, intrusion clusters such as Scattered Spider, campaigns such as Roasting 0ktapus, and more recently nuances between the ShinyHunters actor and the ShinyHunters group/brand. Tracking specific actors within a large online ecosystem such as Com presents significant challenges due to the highly fluid, decentralized nature of communities within it. Individuals frequently drift between various groups, aliases and roles.

Is this the end?

The trajectory of Jubair perfectly illustrates this volatile scenario. Jubair migrated fluidly across the Com online ecosystem, beginning as an Infinity Recursion member before transitioning into a core operator for the LAPSUS$ group, eventually securing an administrator role within the Star Sanctuary community and more recently serving as an administrator for the notorious Doxbin community. This without considering the numerous other groups and private channels the actor navigated.

We consider Jubair and Flowers to have been deeply integrated into these intrusion clusters and to be some of the most impactful actors linked to these clusters. However, given the focus on behaviors in tracking intrusion clusters, two individuals do not represent the totality of Scattered Spider, whose signature TTPs have been adopted by other threat groups and dozens of other individual actors within these communities. In numerous attacks, Scattered Spider established initial access via voice phishing and compromised credentials acquired from underground forums to gain access. Once inside, the cluster reportedly utilized multiple intrusion paths but in various operations adversaries escalated privileges and moved laterally using legitimate tools such as remote monitoring and management (RMM) software. While not limited to this specific set of behavior, hunting for these specific TTPs remains a high-value strategy, regardless of the specific adversary.

Nonetheless, the sentencing exposed a severe and escalating societal challenge in regards to unsupervised youth and unchecked internet. Both Jubair and Flowers were described in court as isolated teenagers who lacked offline social circles, spending their formative years unsupervised in the darkest corners of the web. For vulnerable adolescents, the pursuit of online notoriety and peer validation frequently eclipses financial greed, making them highly susceptible to recruitment. While Jubair’s defense claimed he was a lonely teenager groomed by older, more sophisticated cybercriminals, our own insights into his operations reveal a self-perpetuating cycle: Jubair went on to groom and incentivize other minors to conduct social engineering-based intrusions themselves. This cyclical, predatory dynamic is typical of the behavior frequently observed across the Com online ecosystem.

Without systemic intervention to address this societal and psychological youth crisis, malicious online communities will continue to weaponize isolated children, turning them into offenders before they reach adulthood. Addressing these issues ultimately requires a unified front. As Paul Foster, Deputy Director of the NCA and Head of the National Cyber Crime Unit, highlighted, "parents, carers, educators, technology companies, and law enforcement — the whole of society — we all have a role to play in helping to keep young people safe online."

New restrictions for risky individuals

This case is a rebuttal to the idea that online anonymity is protection. Offenders who assume they are faceless left behind screenshots, videos, chat logs and reused crypto wallets that ultimately tied the activity to their real identities and home addresses.

Their cases also highlighted a legislative gap in the UK in regards to how law enforcement can manage repeat offenders between arrest and prosecution. The country has proposed new Cyber Crime Risk Orders (CCROs) as part of a package of Computer Misuse Act 1990 reforms. Speaking after the sentencing, Commander Ollie Shaw of the City of London Police said CCROs would give police and law enforcement an important additional tool to help prevent harm, disrupt criminal activity and protect the public.

CCROs would allow courts to set restrictions based on the level of risk an individual poses. Those restrictions could include limits on the devices, online services and technologies frequently used to commit cyber crime — in effect, a "digital prison" for offenders. The measures would be overseen by the courts. As Shaw put it, “The aim is not just to punish offenders, but also to help them rebuild their lives and use technology safely and legally.”

This approach recognizes difficulties using existing tools to constrain juvenile and young-adult cyber offenders from reoffending — even while on bail.