The Digital Siege: How Two Teenagers Crippled London’s Transport and Rattled Global Cybersecurity

In a landmark moment for international cyber-law enforcement, two young British men stood before a United Kingdom court this week and pleaded guilty to charges stemming from the paralyzing August 2024 cyberattack on Transport for London (TfL). The attack, which caused widespread disruption to the public transport network serving millions in the Greater London area, was not the work of a rogue lone wolf, but a calculated operation by "Scattered Spider"—a prolific, highly sophisticated cybercrime collective that has become the scourge of both corporate boardrooms and government agencies on both sides of the Atlantic.
Thalha Jubair, 20, of East London, and 18-year-old Owen Flowers of Walsall, entered their pleas on the first day of what was scheduled to be a grueling six-week trial. Their admission of guilt marks a significant victory for the UK’s National Crime Agency (NCA) and provides a rare, transparent glimpse into the inner workings of a group that has extracted over $115 million in ransom payments through a trail of digital wreckage spanning years.
The Charges and the Scope of the Crimes
The defendants face grave legal consequences for their actions. Jubair and Flowers pleaded guilty to conspiring to commit unauthorized acts against TfL computer systems and, crucially, for causing a risk of serious damage to human welfare. The latter charge underscores the severity with which the British judiciary views attacks on critical national infrastructure.
For Owen Flowers, the legal jeopardy extends well beyond British soil. Flowers separately admitted to participating in a conspiracy to compromise U.S.-based healthcare providers, specifically the SSM Health Care Corporation and Sutter Health, in September 2024.
Thalha Jubair, meanwhile, is a primary target for U.S. federal prosecutors. An indictment unsealed in New Jersey in September 2025 alleges that Jubair—alongside other Scattered Spider cohorts—orchestrated a campaign of computer fraud, wire fraud, and money laundering. The scope of their alleged activity between May 2022 and September 2025 is staggering: 120 network intrusions across 47 U.S. entities, resulting in tens of millions of dollars in extorted funds.
Chronology of a Cyber-Insurgency
To understand the rise of Jubair and Flowers, one must look at the timeline of their escalation, which evolved from petty digital mischief to the systematic dismantling of major international corporations.
2022: The SMS Phishing Spree
The seeds of their notoriety were sown during the summer of 2022. Prosecutors allege that Jubair was a key architect in a mass SMS phishing campaign—often dubbed "smishing"—that targeted employees at hundreds of companies. By stealing single sign-on (SSO) credentials, the group successfully breached the internal perimeters of over 130 organizations, including industry giants like LastPass, DoorDash, Mailchimp, Plex, and Signal.
2023: The Las Vegas Siege
By 2023, the group’s ambitions shifted toward high-profile ransomware. Sources familiar with the investigation have identified Owen Flowers as the individual who acted as the media mouthpiece for Scattered Spider following the September 2023 ransomware attacks on MGM Resorts and Caesars Entertainment. These attacks, which brought the Las Vegas Strip to a virtual standstill, demonstrated the group’s ability to leverage stolen credentials to exert massive financial and operational pressure on multinational conglomerates.
2024–2025: The British Front and Global Expansion
The pair’s focus eventually turned toward the UK, with ransom attacks against high-street titans such as Marks & Spencer, Harrods, and the Co-op Group. The arrest of Flowers and Jubair in July 2025 by the NCA was the culmination of an intensive intelligence-gathering effort that traced their digital fingerprints across continents.
The "Star Chat" Ecosystem: Mechanics of the Breach
One of the most revealing aspects of the prosecution’s case is the exposure of "Star Chat," a Telegram channel co-run by Jubair. This platform served as the central nervous system for a sophisticated SIM-swapping operation.

SIM-swapping is a technique where attackers manipulate telecommunications employees—often through social engineering or bribery—to redirect a victim’s phone number to a device controlled by the hackers. By intercepting calls and text messages, the group could bypass multi-factor authentication (MFA) protocols, which many companies incorrectly assumed were a silver bullet against intrusion.
"Star Chat" was more than just a chat room; it was a commercialized service. The group sold access to stolen credentials, allowing other threat actors to hijack accounts, intercept one-time codes, and facilitate corporate theft. Prosecutors provided evidence of receipts generated by the group, including one targeting a T-Mobile customer after hackers gained access to internal T-Mobile employee tools.
The "Everlynn" Connection
The depth of Jubair’s technical sophistication was evident even at age 15, when he operated under the handle "Everlynn." During that time, he was known for peddling fraudulent "Emergency Data Requests" (EDRs). By compromising government and law enforcement email accounts, Everlynn would send fake urgent requests to tech companies, claiming they were for life-and-death situations. This bypassed standard legal processes and allowed him to harvest private user data, including IP addresses and account recovery details, which were then used to fuel further hacks.
Supporting Data: The Scattered Spider Ledger
The financial and operational impact of Scattered Spider is difficult to overstate. The group has operated with a level of agility that has confounded traditional security measures.
- Financial Toll: Victims have paid a verified minimum of $115 million in ransom.
- Target Diversity: From healthcare providers and retail chains to critical transportation infrastructure and tech platforms, no sector has been immune.
- The Cryptocurrency Pipeline: In a related case, Tyler "Tylerb" Buchanan, a 24-year-old British national, pleaded guilty to wire fraud in April 2026. Buchanan, working alongside Jubair, utilized credentials harvested from the 2022 phishing spree to drain at least $8 million in cryptocurrency from U.S. victims.
The U.S. Department of Justice continues to pursue other members of the collective, including Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans. These individuals remain under indictment, representing the ongoing global effort to dismantle the Scattered Spider hierarchy.
Official Responses and Judicial Implications
The sentencing of Flowers and Jubair, scheduled for July 15, 2026, in a London court, will serve as a bellwether for how the UK intends to handle cyber-terrorists who target infrastructure.
"The attacks on TfL were not just a disruption of services; they were an assault on the daily lives of the public," noted one cyber-security analyst familiar with the case. "The guilty pleas of these individuals show that even those who hide behind aliases and encrypted messaging apps are eventually susceptible to the reach of law enforcement."
In the United States, the sentencing of Noah Michael Urban—who received a 10-year federal prison term in August 2025—has set a clear precedent. The $13 million in restitution ordered in his case highlights that justice in the cyber realm is increasingly moving toward full financial recovery and long-term incarceration.
Future Implications: A Shift in Defensive Strategy
The saga of Scattered Spider has fundamentally altered the corporate approach to cybersecurity. Organizations have learned that "secure" passwords and standard MFA are insufficient against a group that targets the human element—the employees at wireless providers and internal help desks.
The transition toward hardware-based security keys, stricter identity verification for internal support staff, and more aggressive monitoring of "smishing" campaigns are direct responses to the techniques employed by Jubair, Flowers, and their associates. As the legal walls close in on the remaining members of the Scattered Spider collective, the message from authorities is clear: the digital frontier is no longer a lawless space. The "Star Chat" era of impunity is coming to an end, and those who weaponized the infrastructure of the internet now face the full weight of the laws they sought to circumvent.
