Home
Blog
Two criminals imprisoned over Transport for London cyberattack

Two criminals imprisoned over Transport for London cyberattack

Paul Ducklin
07/16/2026
Share this article:

Pleaded guilty, now sentenced

Two more members of the notorious cybercrime gang going by Scattered Spider are now facing the consequences of their actions.

If UK news site The Guardian has it right, however, they’ll almost certainly be out of prison before they’re in their mid-20s, each with more money stashed away in the form of cryptocoins than the vast majority of us will see in our lifetimes.

Earlier this month, we wrote up the case of Peter Stokes, allegedly another Scattered Spider criminal, who was extradited to the US in April 2026 to face serious charges related to cyberextortion – supposedly breaking into a company, stealing nearly 100GB of data, and then demanding payment of $8,000,000 to “make the stolen data go away.”

Stokes, now just 19, is said to have been making money from cybercrime hand-over-fist since he was about 17, allegedly funding his own luxury travel to Paris, Italy, Spain, Germany, New York, Florida, New Mexico, Thailand, and Dubai – almost unimaginable wealth for someone his age.

Two criminals imprisoned over Transport for London cyberattack - SolCyber

The criminals in this case are also astonishingly young.

As they start the five-and-a-half year prison sentences handed down to them today, Thalha Jubair is 20 and Owen Flowers just 19.

In fact, the main cyberattack in their case – both waited until their trial was about to start, presumably to see how strong the prosecution’s case looked, and then pleaded guilty – took place nearly two years ago, and seriously affected the operations of Transport for London (TfL), which runs London’s vital and widely-used public transport network.

Not just UK offenses

Flowers, it seems, managed to avoid Stokes’s fate of extradition to the US, despite being wanted for cybercrimes against two American healthcare organizations, by having his US charges processed in the UK as part of this case.

Convicted cybercriminals don’t always get to settle their charges on those terms – hyperactive Canadian ransomware criminal Sebastien Vachon-Desjardins, for example, went to prison for seven years in Canada, was released almost at once so he could be extradited to the US, where he is now serving a 20-year sentence, after which he will be deported back to Canada to finish the leftover part of his 7-stretch.

As for that retirement-level wealth that Jubair and Flowers may already have stashed away for their lives after incarceration, the Guardian notes that:

A previous hearing was told that $10,000,000 was moved from Jubair’s crypto wallets after he was released from custody in March [2025] and $200,000,000-worth of crypto had also moved through accounts belonging to him.

An earlier hearing was also told that Flowers held $7.1m, including crypto, in accounts he controlled, despite having no source of income.

Jubair apparently had 22 previous criminal convictions as a teenager, including “13 counts of fraud, two of unauthorized access to a computer, one of obtaining access to a computer, and one of blackmail. He had also been convicted in a youth court of stalking two young women and hacking into a City of London police server.”

Flowers was also “known to police,” as British English splendidly puts it, and when he turned 16 was apparently offered rehabilitation aimed at steering him away from online crime.

He declined the rehabilitation, which doesn’t seem terribly surprising given that it seems he had accumulated more than $7,000,000 in assets by the time he was charged with the TfL hack just two years later.

What to do?

  • The TfL hack started with social engineering, not with the latest and greatest technical cyberexploit. Jubair and Flowers managed to persuade helpdesk staff to reset “their” passwords, which in fact belonged to existing TfL users. After this, of course, they could login apparently genuinely as those legitimate users. Remember the golden rule when confronted with requests for “help” or to hand over data: If in doubt, don’t give it out.
  • Listen to our Exploits versus Entropy podcast for entertainingly good-humored but actionable advice on how to improve your operational resilience without drowning in technology or buying and trying to manage more and more security tools. As co-host David Emerson puts it in the podcast, “The shiny threat always comes in the dull door that you left open.”

LISTEN NOW: Exploits versus Entropy

Two criminals imprisoned over Transport for London cyberattack - SolCyber

No audio player showing above? Try clicking here to listen in a new browser tab, or read the full transcript instead.



Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Two criminals imprisoned over Transport for London cyberattack - SolCyber


More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Paul Ducklin
Paul Ducklin
07/16/2026
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Choose identity-first managed security.

We start with identity and end with transparency — protecting where attacks begin and keeping you informed, with as much visibility as you want. No black boxes, just clear, expert-driven security.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

©
2026
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber DPM++

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

14554