Scattered Spider Duo Pleads Guilty in UK Over $115M Ransomware Spree and Transport for London Hack
Thalha Jubair and Owen Flowers pleaded guilty in a UK court to the 2024 Transport for London hack and a $115M ransomware campaign tied to Scattered Spider.
Thalha Jubair and Owen Flowers pleaded guilty on the first day of their UK trial in June 2026 to charges stemming from the August 2024 cyberattack on Transport for London and a ransomware campaign that extracted more than $115 million from victims worldwide. The pleas, entered in a UK court, cap a multi-agency investigation that spanned the Atlantic and zeroed in on one of the most disruptive hacking collectives to target corporate infrastructure in recent years, according to Krebs on Security.
The Attack on Transport for London
The August 2024 TfL breach was ugly. It crippled the capital’s public transit network, disrupting systems that millions of commuters depend on daily, and quickly became one of the most high-profile infrastructure cyberattacks in recent UK memory — not because of the ransom demand alone, but because of the operational chaos it caused across a system that moves roughly a quarter of London’s daily traffic. Internal systems were exposed. TfL’s recovery effort dragged on for weeks and cost the authority heavily. UK prosecutors later laid out charges directly tying Jubair and Flowers to that breach, according to Krebs on Security’s September 2025 report.
The $115M Ransom Operation
The TfL hack was one piece of a much larger operation. The U.S. Department of Justice said victims collectively paid more than $115 million to Jubair and his associates to recover data and prevent its public disclosure, according to a DOJ announcement on September 18, 2025. One report linked Jubair to approximately 120 separate breaches before his UK arrest, according to The Hacker News. Put those numbers side by side — 120 intrusions, nine figures in ransom — and this campaign ranks among the most financially damaging cybercriminal operations ever prosecuted.
Who Are Jubair and Flowers
Both defendants were 18 years old at the time charges were filed. That youth sat in sharp contrast to the sophistication of the attacks attributed to them. UK prosecutors presented the case in court hearings beginning in September 2025, and the pair ultimately pleaded guilty on day one of trial in June 2026 rather than contest the evidence. The speed of the plea speaks for itself — the prosecution’s case was apparently not worth fighting. Neither defendant’s exact role within Scattered Spider has been fully detailed in public court records.
US Parallel Charges
Jubair faces a parallel legal fight in the United States. The DOJ indicted him in September 2025 on fraud and cybercrime charges connected to multiple attacks, including intrusions targeting critical infrastructure, according to the DOJ. That U.S. indictment carries a potential 95-year sentence, The Hacker News reported. The investigation was a joint effort between the UK National Crime Agency and the FBI, with additional agencies contributing — a direct reflection of how cross-border these operations have become and how poorly they fit within any single jurisdiction’s prosecutorial reach.
Scattered Spider: How the Group Operates
Scattered Spider is not a traditional ransomware gang. It runs as a loosely organized collective, and its signature move is social engineering — manipulating employees and IT staff into surrendering credentials rather than exploiting software flaws. The group has been linked to SIM-swapping, phishing campaigns, and ransomware deployment against major corporations across multiple sectors. That flexibility is precisely what has made Scattered Spider hard to dismantle: arresting individual members disrupts specific cells but rarely shuts down the broader network. Its reliance on human manipulation rather than automated exploits also means the playbook travels easily — the same techniques that worked against a London transit authority work just as well against a hospital network in Phoenix.
What Comes Next
With the guilty pleas entered, the case moves toward sentencing. A specific date has not been publicly confirmed. The thornier question is what happens with the U.S. charges against Jubair — the DOJ indictment remains active, and whether UK authorities will extradite him after any domestic sentence is served, or whether the two governments negotiate a parallel resolution, has not been addressed in public filings. The case also feeds a live policy debate over whether businesses should be banned outright from paying ransomware demands, an argument that gained serious traction after the Colonial Pipeline attack and has only grown louder as cumulative ransom totals have climbed past nine figures. The next concrete milestone is the UK sentencing hearing, where the court will set the actual prison terms for Jubair and Flowers.