Thalha Jubair (left), and his British accomplice Owen Flowers.
Thalha Jubair (left), and his British accomplice Owen Flowers.

British-Bangladeshi hacker, accomplice jailed over cyberattack that brought London to a standstill

The digital infrastructure of Transport for London (TfL), the backbone of daily travel for millions of people in the UK capital, was effectively crippled for several days by an unprecedented cyberattack. Key online services went offline, passenger services were severely disrupted, and the financial damage reached an estimated GBP 39 million.

Nearly two years later, British-Bangladeshi Thalha Jubair, 20, and his British accomplice Owen Flowers, 18, have each been sentenced to five and a half years in prison for the attack by Woolwich Crown Court. The court delivered its verdict yesterday, Thursday (16 July).

In his ruling, Judge Mark Turner said the attack was not an act of state-sponsored sabotage. Instead, the international hacking group ‘Scattered Spider’ had carried it out to demonstrate its capabilities. He described the attack as an act of reckless bravado, saying the defendants had shown complete disregard for the disruption caused to millions of people.

Under Section 3ZA of the Computer Misuse Act, attacks on critical national infrastructure carry a maximum sentence of life imprisonment. However, the court imposed five-and-a-half-year prison terms after taking into account the defendants' ages and neurodivergent conditions, particularly Jubair’s autism and clinical depression. Both men also received reduced sentences after pleading guilty during the trial.

How TfL was brought to a standstill

Investigators said the hacking group infiltrated TfL’s network over several days, from 31 August to 3 September 2024. At one stage, the hackers gained full administrative control of the system. As the situation spiralled out of control, TfL was forced to disconnect its entire network to prevent an even greater disaster. As a result, around 28,000 employees had to visit their workplaces to reset passwords and security credentials, while multiple services were disrupted.

The investigation found that Owen Flowers recorded videos of the hacking operation, while Jubair shared them with friends in a Telegram group and boasted about causing disruption to London's transport network.

Previous criminal record

Jubair had been living with his parents in a modest flat in Bow, East London. His father worked as a care worker, while his mother had left her job to care for him. From his teenage years, Jubair had accumulated multiple records linked to online fraud and computer-related offences. Operating under an alias on the dark web, he was known within international hacking circles.

Flowers, meanwhile, lived with his grandmother and uncle in Walsall, West Midlands. He had already been under police surveillance. At the time of his arrest, he was attempting to breach the systems of two major healthcare organisations in the United States.

A digital trail exposed the network

According to investigators, however sophisticated hackers may be, they are often ultimately exposed by a simple digital trail. The same happened in this case.

Investigators found that a cryptocurrency wallet controlled by Jubair had been used to purchase gift cards and fund an online gaming account. By analysing those transactions alongside other digital evidence, they were able to link his online identity, server infrastructure and home in east London.

During a search of Jubair’s home, police also recovered a Bangladeshi passport that had not previously been declared to the authorities.

Facing an even bigger trial in the United States

Although the UK sentencing brings one chapter of the case to a close, Jubair now faces an even bigger legal battle in the United States.

The US Department of Justice has brought separate criminal charges against him, alleging that his network carried out more than 120 cyberattacks on at least 47 organisations in the United States, extorting more than USD 115 million. He also faces allegations of conducting cryptocurrency transactions worth more than USD 200 million through multiple digital wallets.

Jubair is expected to face extradition to the United States after completing his prison sentence in the UK. If convicted on the US charges, he could receive a lengthy prison term.

A major warning

According to UK cybercrime experts, the case is not merely about prosecuting two young offenders; it also serves as a stark warning about the digital security of modern states. The attack on critical infrastructure such as TfL demonstrated that a handful of skilled hackers could bring a major city's daily life to a standstill from afar.

At the same time, the case has shown that however sophisticated cybercrime may be, digital technology itself can ultimately become the strongest evidence against those responsible.