Summary
- Investigators said the pair spent long hours carrying out the attack, with Jubair working from his parents’ home in east London while Flowers operated from his grandmother’s house in central England.
- Prosecutors said those attacks took place only days after the London transport breach and were interrupted because Flowers was arrested while they were still underway.
- Although Jubair and Flowers were only 18 and 17 years old when the attack took place, prosecutors said they already possessed advanced hacking skills and had demonstrated the ability to cause serious disruption through cybercrime.
Two British hackers have been sentenced to five and a half years in prison each for carrying out a major cyberattack on Transport for London that caused widespread disruption and resulted in recovery costs of around £29 million. The attack targeted the capital’s public transport network in 2024 and authorities said it could have caused even greater damage if it had not been stopped in time.
Thalha Jubair, 20, and Owen Flowers, 18, admitted last month that they illegally accessed Transport for London computer systems between August 31 and September 3, 2024. Investigators said the pair spent long hours carrying out the attack, with Jubair working from his parents’ home in east London while Flowers operated from his grandmother’s house in central England.
Prosecutors told the court that Jubair even livestreamed the hacking operation while Flowers watched the broadcast. The recording, later recovered from Flowers’ laptop, became an important piece of evidence during the investigation. Authorities said the pair remained active for as many as 16 hours a day while attempting to gain control of Transport for London’s systems.
According to the prosecution, the hackers had the capability to completely disable the transport network. Officials managed to prevent further damage only after Transport for London shut down affected computer systems to block their access. Although the attack was contained, it took approximately six months for engineers and cybersecurity teams to fully restore the network.
The investigation also uncovered Flowers’ involvement in separate cyberattacks targeting two nonprofit healthcare organisations in the United States. Prosecutors said those attacks took place only days after the London transport breach and were interrupted because Flowers was arrested while they were still underway.
Authorities further revealed that Flowers continued attempting to carry out cyber activities even after being taken into custody. Investigators found evidence that he searched for information related to the Crown Prosecution Service and the prison where he was being held. They also discovered attempts to access internet domains connected to those organisations, raising concerns that he was trying to continue hacking from prison.
Judge Mark Turner sentenced both men to five and a half years in prison, describing their actions as being driven mainly by reckless behaviour and a desire to show off their technical abilities rather than any political or ideological motive.
The cyberattack was previously linked by British authorities to individuals associated with the hacking community known as Scattered Spider. Cybersecurity experts have connected the same network to several other high profile attacks, including a major breach involving retailer Marks and Spencer. During the trial, prosecutors explained that Scattered Spider is not considered a formal organisation but rather a label used by cybersecurity researchers to describe hackers who use similar methods and tactics. Both defendants admitted having connections with people linked to that community.
Although Jubair and Flowers were only 18 and 17 years old when the attack took place, prosecutors said they already possessed advanced hacking skills and had demonstrated the ability to cause serious disruption through cybercrime.
Jubair had previously been convicted in 2023 for his role in hacking technology company Nvidia as part of the Lapsus$ hacking group. He was also sentenced in an unrelated case involving the stalking of two young women, including an incident in which he falsely reported an emergency in an attempt to send armed police officers to one victim’s home.
The case highlights the growing threat posed by highly skilled young cybercriminals and the increasing challenge facing governments and businesses as they work to protect critical infrastructure from sophisticated digital attacks. Authorities say the investigation also serves as a warning that cybercrime can have serious financial and public safety consequences, leading to lengthy prison sentences for those involved.
We welcome your contributions! Submit your blogs, opinion pieces, press releases, news story pitches, and news features to opinion@minutemirror.com.pk and minutemirrormail@gmail.com

