Skip to content

Teens who hacked TfL were known to police years before cyber-attack

Joe TidyCyber correspondent, BBC World Service
News imageNational Crime Agency A side-by-side composite of two young men: Owen Flowers on the left has dark curly hair, large aviator-style glasses, and a light moustache, looking slightly upwards in a grey top; the one on the right has straight dark hair swept across his forehead, light facial hair, and looks directly forward in a black hooded jacket.National Crime Agency
Owen Flowers (left) and Thalha Jubair pleaded guilty on the first day of their trial

Two young men convicted over the cyber-attack that crippled Transport for London (TfL) in 2024 had long histories of cyber-offending and were both known to law enforcement bodies, the BBC has learnt.

Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty on Monday to carrying out the attack.

The breach disrupted TfL services for months, affected the personal data of millions of people and left all 28,000 TfL employees needing to reset their passwords in person.

The BBC has discovered the authorities made frequent attempts to curb Flowers and Jubair's offending - raising questions over the effectiveness of such interventions with young cyber-criminals.

Experts have told the BBC the case also indicates that perpetrators of cyber-attacks often do not appear to understand the real world consequences of their actions.

The National Crime Agency (NCA) says it highlights the need for its officers to be given additional powers.

Cease and desist order

Flowers and Jubair's trial heard they were part of the cyber-crime collective, Scattered Spider.

The loosely organised gang of young English-speaking cyber-criminals has been linked to dozens of other cyber-attacks including on retailers Marks and Spencer and the Co-op.

But the BBC has learned Flowers initially came to the attention of police shortly after he turned 16 years old.

In October 2023 he was caught carrying out low-level cyber-crime and visited by West Midland's Regional Cyber Crime Unit prevent officers.

Police say that during the visit Flowers did not engage with officers and was given a cease and desist order to deter him from further offending.

Police had the option to invite him to enrol in the national Cyber Choices programme, which works to steer young people away from cyber-crime.

However Flowers was already being investigated for an offence and was reluctant to engage with officers, so they deemed him not suitable.

Just months later, the teenager - who was living with his grandmother - went on to commit a series of increasingly serious cyber-offences with Scattered Spider which culminated in the TfL attack.

NCA deputy director Paul Foster, head of its National Cyber Crime Unit, said the case highlighted the challenges posed by a small number of highly capable offenders.

He called for stronger legal powers - such as the proposed Cyber Crime Risk Orders (CCROs) - to deal with cases like this.

CCROs, announced by the UK government as part of planned reforms to the Computer Misuse Act, are designed to let police and courts place restrictions on people considered high risk before they carry out further serious breaches.

They would "enable earlier law enforcement interventions against high-risk cyber-crime offenders," Foster said.

Millions in crypto

Flowers was eventually arrested on 16 September 2024 in connection with the TfL attack, which had started on 31 August.

In the arrest raid, investigators seized multiple devices from his bedroom, including laptops, desktop computers, hard drives and USB storage devices.

They reportedly discovered cryptocurrency holdings worth millions of pounds.

During the investigation, NCA officers uncovered evidence that computer systems belonging to two US healthcare organisations, SSM Health and Sutter Health, had also been infiltrated and damaged.

Flowers later pleaded guilty to offences relating to those hacks. He is still wanted in the US.

After being charged, Flowers was released on bail under strict conditions. He breached those conditions twice, in March 2025 and May 2025.

His co-defendant Jubair had also been known to police for years.

In 2023, while still a juvenile, he received a Youth Rehabilitation Order for cyber offences linked to the Lapsus$ hacking group, which targeted major companies including Nvidia and BT/EE.

Because he was under 18, his identity could not be reported at the time.

Jubair has 22 previous convictions in total and began offending at 14 years old.

He is also wanted in the US in connection with cyber-crimes that allegedly stole and extorted $87m (£66.1m) from victims.

News imagePA Court sketch of two men with long hair and glasses. One has a white tshirt on and the other is wearing a dark jacket PA
Flowers (left) and Thalha Jubair pleaded guilty in court on Monday

Flowers and Jubair are due to be sentenced for the TfL hack on 16 July.

An expert witness who previously gave evidence in the Lapsus$ case involving Jubair agrees that the case demonstrates the need for stronger deterrents for the most prolific young cyber criminals.

"You have people who have already been caught and know they are in trouble with the law but carry out more crimes even under surveillance," Prof Peter Sommer said.

"They don't seem to understand the consequences and there are real victims here losing their life savings in some case as well as corporations and their staff that are badly impacted," he added.

Both Jubair and Flowers have been diagnosed with autism and the court heard that Jubair has depression and a severe mood disorder.

News imageA green promotional banner with black squares and rectangles forming pixels, moving in from the right. The text says: “Tech Decoded: The world’s biggest tech news in your inbox every Monday.”

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.