You probably remember the chaos when London's transport network suddenly stopped working properly. No live tube arrivals on the TfL Go app. No online Oyster card renewals. Young people blocked from getting their discounted travel passes. For months, Transport for London felt like it was running on duct tape and prayer.
We just learned who was actually behind it.
Thalha Jubair, 20, and Owen Flowers, 18, just pleaded guilty at Woolwich Crown Court. They admitted to orchestrating the devastating late 2024 hack that drained £39 million from TfL. They changed their pleas on the very first day of what was supposed to be a six-week trial.
Everyone assumes massive infrastructure hacks come from state-backed military rooms in eastern Europe. This one didn't. It came from a couple of teenagers chatting on Telegram. One lived in Bow, east London. The other lived in Walsall, West Midlands.
Understanding how two British teens brought down a network handling five million journeys a day reveals why modern security is so broken.
The Scattered Spider Reality
Jubair and Flowers aren't lone geniuses. They are part of Scattered Spider, a notorious, English-speaking hacking collective. You might know them from high-profile corporate hits on companies like Jaguar Land Rover and Marks & Spencer.
The National Crime Agency found a literal goldmine when they raided Flowers' West Midlands home. They pulled laptops, hard drives, and USB sticks straight from his bedroom. One laptop had a screenshot showing direct network connectivity right into TfL's core systems. Even worse, Flowers filmed videos of Jubair actively working inside TfL's network during the attack.
They used standard collaborative tools and Telegram to coordinate the breach between August 29 and September 6, 2024.
The public numbers are staggering.
- 10 million customers had their personal data stolen.
- 28,000 TfL employees had to physically show up for manual identity checks and password resets.
- £39 million was completely wiped out in recovery costs and system damage.
This wasn't just a digital nuisance. Prosecutors explicitly stated the hack caused a direct loss of livelihood for people dependent on TfL licensing systems. The economic ripple effect across London was immediate.
What Kept the Network Dark for Months
If you tried to get an Oyster refund back then, you know it took forever. The hackers didn't just look at data; they climbed straight into the back-end infrastructure. They hit the specific system used to process passenger refunds.
That forced TfL to pull the plug on automated systems to stop bank details from leaking further.
Hackers enter network -> Access refund database -> TfL cuts remote access -> Total system freeze
That single defensive move caused a massive administrative backlog. Thousands of ordinary commuters were left out of pocket. Children couldn't apply for photocard passes.
The real problem with modern critical infrastructure is that we've connected everything to the same digital spine. When the app breaks, the back office breaks. When the back office breaks, the financial systems stall.
The Global Scale of Teen Cybercrime
Don't let the tracksuit bottoms and sweaters fool you. These guys were operating at a massive global scale.
While Owen Flowers was out on bail for the TfL attack, he allegedly kept right on going. He admitted to targeting US healthcare giants, specifically trying to breach Sutter Health and SSM Health Care Corporation.
His partner, Jubair, faces an entirely separate mountain of trouble. The US Department of Justice links him to a string of cyber incidents targeting 47 American organizations. Total ransom demands in those cases? Over $100 million.
The head of the NCA's national cyber crime unit, Paul Foster, made it clear that the profile of these offenders represents a massive shift. We aren't fighting faceless, distant threats across geopolitical borders anymore. The biggest threat to our infrastructure might live down the street, speak perfect English, and understand local corporate psychology better than any foreign actor ever could.
The Security Playbook Has to Change
If you run an organization with digital assets, the TfL disaster offers some brutal lessons. You can't rely on traditional perimeter security.
First, get your internal monitoring sorted. The NCA found videos of the hackers working inside the network before the real damage hit. If you aren't tracking anomalous behavior inside your systems, you're blind.
Second, separate your systems. A breach in a customer-facing app shouldn't paralyze your internal billing or employee credentials. Network segmentation isn't an option anymore; it's basic survival.
Jubair and Flowers are currently remanded in custody. Their two-day sentencing hearing starts on July 15. While they wait for their prison sentences, the rest of the infrastructure world needs to figure out how to stop the next pair of teenagers with a Telegram account.
