British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health
Owen Flowers (top) and Thalha Jubair (bottom). Image Source: UK National Crime Agency (NCA).
Two British hackers have pleaded guilty to a cyberattack on Transport for London (TfL), one of whom also admitted to hacking two U.S. healthcare companies in September 2024: SSM Health Care Corporation and Sutter Health.
Owen Flowers, 18, from Walsall, West Midlands, and Thalha Jubair, 20, from East London, were both teenagers when they conducted the attacks and were members of the cybercriminal group Scattered Spider. In contrast to many cybercriminal groups, Scattered Spider is an English-speaking collective whose members are primarily based in the United States, the United Kingdom, and Canada.
Scattered Spider is believed to have been formed in May 2022 and primarily targeted telecommunications companies before expanding attacks on varied targets. The group has been linked with attacks on more than 120 companies, including Snowflake, Twilio, Mailchimp, DoorDash, American Airlines, WestJet, Hawaiian Airlines, and Aflac. The group was behind the ransomware attacks on Caesars Entertainment and MGM Resorts in September 2023, the TfL attack in late August 2024, and a string of ransomware attacks on UK retailers Marks & Spencer, Harrods, and Co-op Group in April 2025.
The two hackers were arrested at their home addresses on September 16, 2025, in connection with the retail attacks, along with two other individuals. An investigation conducted by the National Crime Agency (NCA) and City of London Police linked the pair to the TfL attack. That attack caused disruption to TfL’s online services, prevented live London Underground train information from appearing in the TfL app and on the TfL website, and forced all 28,000 TfL employees to attend a TfL office for a password reset. The attack cost TfL £29 million ($38 million) in loss and recovery costs.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Investigators searched the residences of the two individuals and recovered laptops, desktop computers, hard drives, and USB sticks, which contained evidence of the pair’s involvement in the TfL attack. Investigators also found evidence on devices owned by Flowers of his involvement in attacks on SSM Health Care and Sutter Health, which resulted in infiltration and damage to computers, according to the UK National Crime Agency.
Jubair ran a Telegram channel called Star Chat that was used by a SIM-swapping group that engaged in voice and SMS-based phishing attacks to steal credentials from employees at UK and US wireless providers. The access was then used to redirect individuals’ phone numbers to devices controlled by the attackers, allowing them to intercept calls and text messages.
Jubair has been charged in the United States for his role in Scattered Spider cyberattacks on at least 120 computer networks, involving 47 U.S. entities. New Jersey prosecutors have charged Jubair with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted on all U.S. charges, Jubair faces up to 95 years in jail.
The hackers were scheduled for a 6-week trial in Woolwich Crown Court in London, starting on June 22, 2026. On day 1 of the trial, Flowers and Jubair pleaded guilty to the attack on TfL. Flowers also admitted to conspiring to commit unauthorized acts against the computer systems of SSM Health Care Corporation and Sutter Health in September 2024.
The hackers are both scheduled for a 2-day sentencing hearing starting on July 15, 2026. Jubair also faces a trial in the United States. Depending on negotiations between UK and US authorities, Jubair could be temporarily transferred after sentencing to stand trial for the charges in the United States before returning to complete his sentence, or he may face a trial in the U.S. after serving the entirety of his UK sentence.
“This has been a lengthy, highly complex, and painstaking investigation. The perseverance and meticulousness of our officers, and the work of our partner organisations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending,” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit. “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider. This is why we work closely with partners at home and abroad to identify offenders within these networks and bring them to justice.”
