Two men have pleaded guilty in a London court to criminal charges related to the August 2024 cyberattack that disrupted Transport for London (TfL) services. Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, entered their pleas on the first day of proceedings, admitting to conspiring to perform unauthorized acts against computer systems and causing a risk of serious damage to human welfare. The pair are identified by law enforcement as members of the Scattered Spider cybercrime collective, a group linked to numerous large-scale network intrusions and ransomware campaigns globally.
The guilty pleas mark a significant development in the ongoing international investigation into Scattered Spider. According to official records, the group’s activities have targeted a wide range of sectors, including retail, healthcare, and transportation. Both defendants are currently scheduled to be sentenced in a London court on July 15, 2026.
Owen Flowers (left) 18, and Thalha Jubair, 20. Image: UK National Crime Agency (NCA).
The Scope of Criminal Charges and Cyber Intrusions
The charges against Jubair and Flowers stem from a broader pattern of cyber-criminality involving unauthorized access to protected computer networks. Beyond the disruption of London’s public transport infrastructure, Flowers admitted to participating in a conspiracy to compromise U.S.-based healthcare providers, specifically SSM Health Care Corporation and Sutter Health, in September 2024, as reported by the BBC. These admissions reflect the group’s methodology of targeting critical infrastructure and sensitive data repositories to facilitate extortion.
Jubair faces additional scrutiny from U.S. authorities. In September 2025, prosecutors in the District of New Jersey unsealed an indictment alleging that Jubair and other affiliates of Scattered Spider engaged in computer fraud, wire fraud, and money laundering. These charges relate to approximately 120 network intrusions affecting 47 U.S. entities between May 2022 and September 2025. According to the U.S. Department of Justice, victims of these schemes paid at least $115 million in ransom payments to the attackers.
SIM-Swapping and Phishing Operations
Investigations into the group’s operations have uncovered a sophisticated infrastructure used to harvest credentials. Prosecutors allege that Jubair co-managed a Telegram channel known as “Star Chat,” which served as a hub for SIM-swapping operations. By utilizing voice- and SMS-based phishing attacks, the group targeted employees at major wireless providers in the United States and the United Kingdom to gain control of mobile devices.
This access allowed the group to intercept calls and text messages, including one-time passcodes required for multi-factor authentication. U.S. prosecutors have linked the handle “Rocket Ace” to Jubair, noting its use in orchestrating these intrusions. Furthermore, authorities allege that a mass SMS phishing campaign during the summer of 2022 enabled the theft of single sign-on credentials from employees at more than 130 organizations, including major technology and service companies like LastPass, DoorDash, Mailchimp, Plex, and Signal, as detailed in federal court filings.
International Law Enforcement Coordination
The prosecution of Jubair and Flowers is part of a coordinated international effort to dismantle the Scattered Spider network. Other members of the group have faced similar legal consequences in the United States. In April 2026, Tyler Buchanan, a 24-year-old British national, pleaded guilty to wire fraud conspiracy and aggravated identity theft. According to the U.S. Attorney’s Office for the District of New Jersey, Buchanan and his co-conspirators utilized stolen credentials to misappropriate at least $8 million in cryptocurrency. Buchanan is currently awaiting sentencing, which is scheduled for October 2, 2026.
In August 2025, Noah Michael Urban, a 20-year-old from Florida, was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution after pleading guilty to wire fraud and conspiracy charges, according to Department of Justice records. While several individuals have been convicted, the U.S. government maintains that other alleged members, including Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans, continue to face active charges in connection with the group’s activities.
The case remains active as authorities continue to process evidence related to the extensive network of intrusions. Following their scheduled sentencing on July 15, 2026, further updates regarding the legal status of the remaining defendants are expected to be released through the U.S. Department of Justice and the UK National Crime Agency. Readers are encouraged to monitor official court dockets for the latest filings in these proceedings.