News · News

Scattered Spider Duo Sentenced to 5.5 Years Each in UK Court Over TfL Hack and $115M Ransom Scheme

Thalha Jubair and Owen Flowers sentenced to 5.5 years at Woolwich Crown Court for hacking TfL and roles in Scattered Spider's $115M crypto ransom scheme.

Scattered Spider Duo Sentenced to 5.5 Years Each in UK Court Over TfL Hack and $115M Ransom Scheme

Two British members of the Scattered Spider cybercrime group were sentenced to five and a half years in prison each at Woolwich Crown Court on July 16, 2026, tying a pair of teenagers from East London to a sprawling extortion operation that extracted more than $115 million in ransom payments from dozens of companies across multiple countries.

B
Bitcoin
BTC
View coin →
$64,025.00 0.04%
Market cap · $1.28T

Thalha Jubair, 20, and Owen Flowers, 18, both pleaded guilty to charges connected to the hacking of Transport for London (TfL) and to their roles in Scattered Spider, a loosely organized hacking collective that US prosecutors say extorted dozens of companies through credential theft, social engineering, and data theft-for-ransom. The sentencing closes a chapter on one of the most disruptive cybercrime sagas to cross the Atlantic in recent years, though the full scope of the group’s activity remains under investigation.

The TfL breach is the most visible UK casualty. The attack left 148 systems inoperable and caused approximately £29 million in damages, according to London Centric. TfL — which runs London’s buses, Underground, and overground rail services — was forced to implement emergency measures and restrict access to internal systems while it rebuilt from scratch. The incident exposed sensitive staff data and knocked out operations across one of Europe’s largest public transit networks.

Jubair, described in US court filings as a core member of Scattered Spider, was charged separately by US prosecutors in September 2025. The Justice Department alleges he participated in at least 120 attacks targeting organisations including critical infrastructure providers. US prosecutors linked Jubair and his associates to more than $115 million — roughly £86 million — in ransom payments, with victims paying to recover stolen data and prevent its public release. One example cited in US legal filings involved Jubair while he was still a teenager, a detail that has drawn sharp attention to the unusually young profile of several Scattered Spider members.

Jubair is from Tower Hamlets in East London. He was 19 at the time of his US charging. The dual UK-US prosecution reflects the transatlantic shape of the investigation, which involved joint action by the UK’s National Crime Agency and the FBI. The case also connected to a US court intrusion, tying the London TfL hack to American federal proceedings in ways that have not been fully detailed publicly.

The financial damage is what sets this apart. According to the DOJ press release, the $115 million figure represents collective payments across multiple victims — not a single event. Scattered Spider’s playbook relied heavily on social engineering: impersonating IT staff, manipulating help desks into resetting credentials, then pivoting through cloud environments and internal networks. Once inside, the group exfiltrated data and threatened to publish it unless ransom was paid, almost always demanding cryptocurrency.

The crypto angle matters. Ransom payments in cases like these typically land in BBTC$64,025.000.04% or privacy coins — hard to trace, but not impossible. The DOJ’s willingness to attach a specific dollar figure to the ransoms suggests blockchain analytics firms assisted investigators in following payment flows across wallets and exchanges. Prosecutors could quantify the haul at $115 million, which means a meaningful portion of the laundering trail was reconstructed, even if some funds remain unrecovered.

Flowers, 18, received the same 5.5-year term as Jubair. Identical sentences suggest the judge viewed their roles as comparably serious. The specifics of Flowers’ individual contributions were not fully enumerated in publicly available sentencing details. Both defendants pleaded guilty — which typically earns a reduction under UK sentencing guidelines — meaning the court still considered the underlying conduct severe enough to justify the term handed down.

Scattered Spider has been the subject of one of the most significant cybercrime enforcement pushes of the past two years. The group built its notoriety on high-profile corporate breaches that exploited human trust rather than technical vulnerabilities — no zero-days, just phone calls to the right help desk at the right time. Several members have now been identified and charged in US and UK courts, though prosecutors have acknowledged the network is decentralised and that additional members likely remain at large.

For anyone watching crypto’s relationship with ransomware, this sentencing reinforces a blunt reality. Groups like Scattered Spider depend entirely on the ability to move funds through exchanges and mixing services. The $115 million tied to Jubair and his associates is a fraction of total annual ransom payments, which blockchain analytics firms estimate run into the billions globally. Every conviction that comes with a reconstructed payment trail is a data point for investigators — and a warning to the next group that assumes crypto flows are invisible.

The NCA and FBI have confirmed that investigations into remaining Scattered Spider members are ongoing. US prosecutors have not yet stated whether they will seek Jubair’s extradition after he completes his UK sentence — a process that, if pursued, could extend the legal proceedings well into the 2030s.

Nadia Rahman

Nadia Rahman

Markets Editor · 9 years covering crypto · Author page

Nadia Rahman is CoinScoop's Markets Editor. She covers Bitcoin, macro liquidity and the spot-ETF complex, and previously reported on rates and FX for a global newswire.

Disclosure: This article is independent journalism and is for information only — it is not financial advice. CoinScoop is reader-supported and may earn a commission from some links. Read our disclosure policy →