Two criminals imprisoned over Transport for London cyberattack
Paul Ducklin
07/16/2026
Share this article:
Pleaded guilty, now sentenced
Two more members of the notorious cybercrime gang going by Scattered Spider are now facing the consequences of their actions.
If UK news site The Guardian has it right, however, they’ll almost certainly be out of prison before they’re in their mid-20s, each with more money stashed away in the form of cryptocoins than the vast majority of us will see in our lifetimes.
Earlier this month, we wrote up the case of Peter Stokes, allegedly another Scattered Spider criminal, who was extradited to the US in April 2026 to face serious charges related to cyberextortion – supposedly breaking into a company, stealing nearly 100GB of data, and then demanding payment of $8,000,000 to “make the stolen data go away.”
Stokes, now just 19, is said to have been making money from cybercrime hand-over-fist since he was about 17, allegedly funding his own luxury travel to Paris, Italy, Spain, Germany, New York, Florida, New Mexico, Thailand, and Dubai – almost unimaginable wealth for someone his age.
The criminals in this case are also astonishingly young.
As they start the five-and-a-half year prison sentences handed down to them today, Thalha Jubair is 20 and Owen Flowers just 19.
In fact, the main cyberattack in their case – both waited until their trial was about to start, presumably to see how strong the prosecution’s case looked, and then pleaded guilty – took place nearly two years ago, and seriously affected the operations of Transport for London (TfL), which runs London’s vital and widely-used public transport network.
Not just UK offenses
Flowers, it seems, managed to avoid Stokes’s fate of extradition to the US, despite being wanted for cybercrimes against two American healthcare organizations, by having his US charges processed in the UK as part of this case.
Convicted cybercriminals don’t always get to settle their charges on those terms – hyperactive Canadian ransomware criminal Sebastien Vachon-Desjardins, for example, went to prison for seven years in Canada, was released almost at once so he could be extradited to the US, where he is now serving a 20-year sentence, after which he will be deported back to Canada to finish the leftover part of his 7-stretch.
As for that retirement-level wealth that Jubair and Flowers may already have stashed away for their lives after incarceration, the Guardian notes that:
A previous hearing was told that $10,000,000 was moved from Jubair’s crypto wallets after he was released from custody in March [2025] and $200,000,000-worth of crypto had also moved through accounts belonging to him.
An earlier hearing was also told that Flowers held $7.1m, including crypto, in accounts he controlled, despite having no source of income.
Jubair apparently had 22 previous criminal convictions as a teenager, including “13 counts of fraud, two of unauthorized access to a computer, one of obtaining access to a computer, and one of blackmail. He had also been convicted in a youth court of stalking two young women and hacking into a City of London police server.”
Flowers was also “known to police,” as British English splendidly puts it, and when he turned 16 was apparently offered rehabilitation aimed at steering him away from online crime.
He declined the rehabilitation, which doesn’t seem terribly surprising given that it seems he had accumulated more than $7,000,000 in assets by the time he was charged with the TfL hack just two years later.
What to do?
The TfL hack started with social engineering, not with the latest and greatest technical cyberexploit. Jubair and Flowers managed to persuade helpdesk staff to reset “their” passwords, which in fact belonged to existing TfL users. After this, of course, they could login apparently genuinely as those legitimate users. Remember the golden rule when confronted with requests for “help” or to hand over data: If in doubt, don’t give it out.
Listen to our Exploits versus Entropy podcast for entertainingly good-humored but actionable advice on how to improve your operational resilience without drowning in technology or buying and trying to manage more and more security tools. As co-host David Emerson puts it in the podcast, “The shiny threat always comes in the dull door that you left open.”
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
More About Duck
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Paul Ducklin
07/16/2026
Share this article:
Table of contents:
The world doesn’t need another traditional MSSP or MDR or XDR.
We start with identity and end with transparency — protecting where attacks begin and keeping you informed, with as much visibility as you want. No black boxes, just clear, expert-driven security.
I am interested in SolCyber Foundational Coverage™
I am interested in a Free Demo
14554
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy