Two unidentifiable hooded figures at desks in separate bedrooms
Prosecutors say the pair extracted data belonging to millions of Oyster card holders. (AI-generated image) IBTimes UK

Two teenagers who discussed nuking their access to Transport for London's systems during a cyberattack that cost the network £29M were each jailed for five and a half years at Woolwich Crown Court on Thursday. Owen Flowers, 18, and Thalha Jubair, 19, extracted data belonging to millions of Oyster card holders and left more than 140 systems inoperable, in an attack prosecutors said risked billions of pounds of damage to the wider economy.

The pair conspired between 31 August and 3 September 2024, both claiming at various points to belong to Scattered Spider, a group believed responsible for hundreds of attacks between 2022 and 2025. Both admitted a single charge under Section 3ZA of the Computer Misuse Act 1990, accepting they were reckless as to whether they caused, or created a significant risk of, serious damage to human welfare.

The phrase that gives the case its edge came from their own messages. Prosecutors told the court it was suggested in chats between the two that they would 'nuke access', though the Crown Prosecution Service was careful to note that only they knew their ultimate aim. This was talk between them rather than any demand made to the transport authority, but Lionel Idan, the chief crown prosecutor who oversaw the case, described the exchanges as threats to kill access to the network.

How a £29M Attack Was Stopped

The countermove was drastic. Faced with intruders inside its systems, the transport authority pulled the plug on its own network, cutting services to protect the rest, a decision Idan credits with preventing catastrophe on a network carrying an average of nine million journeys a day. Remediation cost £29M, and 27,000 staff were called in to reset passwords face to face.

Footage of the arrests spread quickly once the sentences were passed, including the clip below.

One detail in that post needs correcting: Jubair is 19, not 20, according to the prosecutors who charged him. The wider claim that the pair cost millions is right, and the precise figure is £29M in remediation alone.

Flowers went further than TfL. On 6 September 2024, he launched attacks on two American healthcare providers, SSM Health and Sutter Health, threatening to lock their systems down while acknowledging in chats with others that it 'might kill some 90-year-old on life support.' He was caught before he could execute it and admitted to two further counts of conspiring and attempting to impair computer systems.

Why This Case Is a Legal First

The evidence trail was ordinary detective work applied to extraordinary tools. Investigators tied Flowers to a remote server used to launch all three attacks, while Telegram messages joking about the consequences proved both men's involvement. Jubair proved harder: the material linking him to the TfL breach sat overseas, and prosecutors worked with counterparts abroad to obtain it and attribute the attack to him.

Flowers and Jubair are believed to be the first hackers successfully prosecuted under Section 3ZA, a provision covering attacks that risk serious damage to human welfare or national security. That matters beyond this case, because it establishes that intrusions into critical infrastructure can be charged on the harm they risk rather than the money they make.

For the millions who tap in and out every morning, the residue is data. Oyster records were extracted, the network spent £29M putting itself back together, and two young men will spend years in prison for messages they typed as jokes. Idan's warning was aimed at whoever reads the case as inspiration: prosecutors, he said, stand ready to work with police and international partners against anyone targeting key infrastructure.