A London court jailed two members of the Scattered Spider cybercrime collective for five years and six months each on 16 July over a 2024 attack on Transport for London’s network, a case US prosecutors have separately linked to a $115 million crypto ransom scheme.
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, admitted compromising TfL’s systems after the National Crime Agency and City of London Police traced the intrusion to them. The pair pleaded guilty at Woolwich Crown Court on 22 June, the day their trial was due to begin, and returned for sentencing on 16 July.
What the Breach Cost TfL
Jubair and Flowers infiltrated TfL’s network between 31 August and 3 September 2024, forcing all 28,000 employees into an office to reset passwords and leaving TfL with £29 million in loss and recovery costs. The breach reached the Oyster refunds system and shut down the photocard application for children and young people.
Officers first arrested Flowers over the TfL attack on 6 September 2024, then uncovered evidence of intrusions at US healthcare providers SSM Health Care Corporation and Sutter Health. Searching his home, they seized laptops, hard drives and USB sticks, among them an Acer laptop holding a screenshot of network connectivity to TfL infrastructure and videos Flowers had recorded of Jubair moving through the systems during the attack.
Flowers breached strict bail conditions twice, in March and May 2025, before trial. “This has been a lengthy, highly complex and painstaking investigation,” said Paul Foster, head of the NCA’s National Cyber Crime Unit.
The US Case and the Crypto Trail
A complaint unsealed in the District of New Jersey charges Jubair, known online as “EarthtoStar” and “@autistic,” with conspiracies to commit computer fraud, wire fraud and money laundering tied to at least 120 network intrusions and extortion involving 47 US entities. Victims paid at least $115 million in ransom across the scheme, which ran from May 2022 to September 2025. The group gained entry through social engineering, stole and encrypted data, then demanded payment to restore access and prevent leaks.
The complaint places Jubair inside intrusions of a US critical infrastructure company and the US Courts in October 2024 and January 2025. Ransom payments from at least five victims moved to wallets on a server he controlled. Law enforcement seized that server in July 2024 along with roughly $36 million in cryptocurrency, and Jubair moved about $8.4 million from one victim to another wallet during the seizure.
Jubair faces up to 95 years in prison if convicted in the United States, where prosecutors track Scattered Spider under the names Octo Tempest, UNC3944 and 0ktapus. Jubair is not the only alleged member facing US charges, with the Justice Department separately extraditing Peter Stokes from Finland over a related scheme tied to more than 100 intrusions and over $100 million in crypto ransom payments. Crypto hack losses reached $75.9 million in June across 40 incidents, and Chainalysis figures put the median ransom demand at $59,556 in 2025, up from $12,738 a year earlier.







