They don't seem to understand the consequences and there are real victims here
Two teenagers, already known to police and subject to prior interventions, went on to orchestrate one of Britain's most consequential cyber-attacks — striking Transport for London in August 2024 and compromising the data of millions. The case of Owen Flowers and Thalha Jubair, both members of the Scattered Spider collective, raises an enduring question about the gap between knowing a threat exists and possessing the tools to contain it. It is a story not merely of crime, but of the limits of warning, the weight of inaction, and the human cost of systems that intervene too late.
- A sixteen-year-old handed a cease-and-desist order and left to his own devices became, nine months later, the architect of a breach that paralysed one of the world's busiest transport networks.
- The attack on TfL forced 28,000 employees to reset passwords in person, exposed millions of users' personal data, and revealed cryptocurrency holdings worth millions in a teenager's bedroom.
- Jubair's 22 prior convictions and Flowers' repeated bail breaches expose a system that could see the danger clearly but lacked the legal instruments to stop it in time.
- Authorities and academics are now pressing for Cyber Crime Risk Orders — a proposed legal mechanism to restrict high-risk individuals before catastrophic offences occur, not after.
- With both men wanted in the United States and sentencing set for July 16, the case casts a long shadow over the adequacy of current deterrents for a new generation of highly capable young offenders.
Owen Flowers was sixteen when police first visited him at his grandmother's house in Walsall. Officers from West Midlands Regional Cyber Crime Unit issued a cease-and-desist order and departed. He did not engage. He was already under investigation, and authorities deemed him unsuitable for the Cyber Choices rehabilitation programme. Nine months later, he helped bring down Transport for London.
On 31 August 2024, TfL's systems were compromised in an attack carried out by Flowers and Thalha Jubair, both members of the loosely organised Scattered Spider collective. The breach lasted months. Millions of users had personal data exposed. All 28,000 TfL employees were required to reset their passwords in person. When investigators raided Flowers' bedroom, they found multiple devices and cryptocurrency worth millions of pounds. He had also breached systems belonging to two American healthcare organisations and remains wanted in the United States.
Jubair's history was longer still. He began offending at fourteen. In 2023 he received a Youth Rehabilitation Order for offences linked to the Lapsus$ hacking group, which had targeted Nvidia and BT/EE. By the time he pleaded guilty alongside Flowers, he carried 22 previous convictions and faces US charges connected to the alleged theft and extortion of $87 million from victims.
Paul Foster of the National Crime Agency described the case as evidence of the challenge posed by a small number of highly capable young offenders, and called for earlier legal intervention. The government has proposed Cyber Crime Risk Orders — measures that would allow courts to restrict individuals deemed high-risk before serious breaches occur. Professor Peter Sommer, who gave expert evidence in the earlier Lapsus$ proceedings, was blunt: the current deterrents are failing people who offend even while under surveillance, seemingly unable to grasp the consequences for real victims losing life savings.
Both men have been diagnosed with autism; Jubair also with depression and a severe mood disorder. Neither diagnosis appears to have altered the course of their offending. Flowers breached his bail conditions twice after being charged. Sentencing is scheduled for 16 July. The Scattered Spider collective has since been linked to attacks on Marks and Spencer and the Co-op. The TfL breach now stands as a marker of what the system permits when warning signs accumulate but the tools to act on them do not yet exist.
Owen Flowers was sixteen when police first knocked on his door. It was October 2023, and officers from West Midlands Regional Cyber Crime Unit had caught him carrying out low-level cyber-offences. They visited him at his grandmother's house in Walsall, handed him a cease and desist order, and left. Flowers did not engage with them. He was already under investigation for something else, and the officers decided he was not a suitable candidate for the Cyber Choices programme, a national initiative designed to steer young people away from cyber-crime. Nine months later, he would help orchestrate one of Britain's most damaging cyber-attacks.
On August 31, 2024, Transport for London's systems went dark. The breach, carried out by Flowers and his co-conspirator Thalha Jubair, both members of the loosely organised cyber-crime collective known as Scattered Spider, crippled the transport network for months. The attack rippled outward in ways both visible and invisible. Millions of people had their personal data compromised. All 28,000 TfL employees were forced to reset their passwords in person. The financial cost to the organisation was substantial. But what the BBC has now uncovered is perhaps more troubling than the attack itself: both men had been known to police for years, and authorities had made repeated attempts to stop them before they ever touched TfL's infrastructure.
Flowers, now 18, was arrested on September 16, 2024, just over two weeks after the attack began. When investigators raided his bedroom, they found multiple laptops, desktop computers, hard drives, and USB storage devices. Among the seized equipment were cryptocurrency holdings worth millions of pounds. The investigation also revealed that Flowers had been involved in breaching computer systems belonging to two American healthcare organisations, SSM Health and Sutter Health. He later pleaded guilty to those offences as well and remains wanted in the United States.
His partner in the TfL attack, Jubair, now 20 and from east London, had an even longer history with law enforcement. He began offending at fourteen years old. In 2023, while still a juvenile, he received a Youth Rehabilitation Order for cyber-offences connected to Lapsus$, a hacking group that targeted major corporations including Nvidia and BT/EE. His identity could not be reported at the time because of his age. By the time he pleaded guilty to the TfL attack on Monday alongside Flowers, Jubair had accumulated 22 previous convictions. He is also wanted in the United States in connection with cyber-crimes that allegedly stole and extorted $87 million from victims.
What emerges from this pattern is a system struggling to contain a particular type of offender. Paul Foster, deputy director of the National Crime Agency and head of its National Cyber Crime Unit, told the BBC that the case highlights the challenges posed by a small number of highly capable young criminals. He called for stronger legal powers to intervene earlier, before serious breaches occur. The government has proposed Cyber Crime Risk Orders, or CCROs, as part of planned reforms to the Computer Misuse Act. These orders would allow police and courts to place restrictions on people deemed high-risk, enabling what Foster described as "earlier law enforcement interventions against high-risk cyber-crime offenders."
Peter Sommer, a professor who previously gave expert evidence in the Lapsus$ case involving Jubair, sees the TfL attack as evidence that current deterrents are failing. "You have people who have already been caught and know they are in trouble with the law but carry out more crimes even under surveillance," he said. "They don't seem to understand the consequences and there are real victims here losing their life savings in some cases as well as corporations and their staff that are badly impacted." Both Flowers and Jubair have been diagnosed with autism. Jubair has also been diagnosed with depression and a severe mood disorder. Neither diagnosis appears to have altered the trajectory of their offending.
Flowers breached his bail conditions twice after being charged—once in March 2025 and again in May 2025. Both men are due to be sentenced on July 16. The question that now hangs over the case is whether the interventions that failed with Flowers and Jubair might have succeeded with different tools, different timing, or different resources. The Scattered Spider collective has been linked to dozens of other cyber-attacks, including breaches of retailers Marks and Spencer and the Co-op. As authorities push for new powers to identify and contain high-risk offenders before they strike, the TfL attack stands as evidence of what happens when the system waits too long.
Citações Notáveis
You have people who have already been caught and know they are in trouble with the law but carry out more crimes even under surveillance. They don't seem to understand the consequences and there are real victims here losing their life savings.— Professor Peter Sommer, cyber-crime expert
The case highlights the need for stronger legal powers such as Cyber Crime Risk Orders to enable earlier law enforcement interventions against high-risk cyber-crime offenders.— Paul Foster, NCA deputy director
A Conversa do Hearth Outra perspectiva sobre a história
Why didn't the police intervention in October 2023 work? Flowers was caught, he was warned.
He was already under investigation for something else, and he wasn't willing to engage with officers. They had the option to enrol him in a diversion programme, but they deemed him unsuitable because of his reluctance and the ongoing investigation. It was a judgment call that didn't hold.
So the system identified him as a problem and then... let him go?
Essentially, yes. They gave him a cease and desist order and left. There was no follow-up mechanism robust enough to prevent what came next. Within months, he was part of Scattered Spider and committing increasingly serious offences.
What's striking to me is that both men had autism diagnoses. Does that factor into how we should think about this?
The court heard about those diagnoses—Jubair also has depression and a severe mood disorder. But the experts quoted in the reporting don't frame it as an excuse. They frame it as part of understanding why these particular offenders don't seem to grasp the real-world consequences of their actions. That's different from saying their conditions caused the crimes.
The government wants these new Cyber Crime Risk Orders. What would those actually do?
They'd let police and courts place restrictions on people identified as high-risk before they commit serious breaches. Earlier intervention, tighter monitoring. The idea is to catch someone like Flowers before they're part of a collective that can take down a transport network.
Do you think that would have stopped him?
I don't know. He was already resistant to engagement with officers. Stronger legal powers might have meant more intensive supervision, but whether that changes someone's choices is a different question entirely.
What about the victims? The millions of TfL users whose data was compromised?
They're the invisible part of this story. The reporting focuses on the offenders and the system's failure to contain them, but 28,000 employees had to reset passwords in person. Millions had personal data exposed. And in the US healthcare cases Flowers was involved in, people lost life savings to extortion. Those are the real consequences the experts say these young offenders don't seem to understand.