Teen hackers posed £56bn threat to UK economy in TfL cyber attack
Teen hackers posed £56bn threat to UK economy in TfL hack

Two teenage hackers could have 'shut down Transport for London (TfL) completely' in a cyber attack that cost the network £29 million and posed a potential £56 billion threat to the UK economy, a court has heard.

Hackers gained 'keys to the kingdom'

Thalha Jubair, now 20, and Owen Flowers, 18, carried out the 'extremely serious hack' on TfL's online network between August 31 and September 3, 2024. The pair, tied to a group known as Scattered Spider, worked through the night for 16 hours to access the network after tricking the helpdesk into resetting a password for them. They then began 'using TfL's own systems to hack itself' as they continued to infiltrate deeper – eventually obtaining the 'highest privileged access', known as 'the keys to the kingdom'.

Mark Fenhalls KC, prosecuting, told Woolwich Crown Court this gave them 'total control over the network' and would have enabled them to place ransomware throughout the entire system. Had they encrypted or destroyed the central TfL system, there could have been a 'potential consequential loss of £56 billion to the UK economy', he added.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Impact on TfL and employees

A TfL victim impact statement read out in court said: 'It is possible that access could have been sufficient to enable the actor to cause catastrophic damage to many technology systems, which would have led to significant and extended transport service degradation and disruption. Such widespread disruption would have had a serious impact on the travelling public, including for those accessing education, healthcare and other essential services, and London’s economy.'

TfL feared the hack could be catastrophic and 'pulled the plug' on their whole system. It resulted in every single one of its more than 27,000 employees having to come into the office to reset their passwords.

Details of the attack

Flowers livestreamed Jubair as he conducted the hack, and some of the videos were recovered when he was arrested three days later on September 6. The pair were in constant contact during the attack and spoke about 'nuking access' to the servers on their way out. Mr Fenhalls said: 'They were utterly reckless about the consequences of hacking TfL, the transport network and the communications for the country. It only came to an end because TfL threw them out rather than they chose to stop.'

Together they used remote servers to conceal the origin of the attack, created virtual machines within the TfL system to destroy evidence, downloaded millions of lines of data, and created multiple back doors within TfL's system, the court heard.

Legal proceedings and background

Jubair and Flowers both admitted conspiracy to commit unauthorised acts in relation to a computer causing or creating risk of serious damage. Flowers also admitted two counts of conspiracy to commit unauthorised acts in relation to a computer with intent to impair, in relation to the healthcare systems. They will be sentenced on Thursday.

Defending Jubair, Paul Keleher KC compared his client to a 'modern day Oliver Twist' who had been groomed from a young age to use his skills for hacking. He said: 'They recruited young children to use their nimble fingers and nimble feet to steal from people.' Mr Justice Turner said: 'There’s no Fagin in this case, it’s a Faginless crime. He has an audience but he doesn’t have a puppet master, he’s promoted himself to an instigator and perpetrator.' Jubair was sentenced last year for 22 offences including hacks on individuals, telecoms businesses and the City of London Police system.

On behalf of Flowers, who was 17 when he conducted the hack, Adam Davis KC described his client as an 'immature child trying to show off online'. When Flowers was arrested in September 2024, his laptop was found in the process of hacking two US healthcare systems. Those hacks were only stopped because of the 'fortuitous timing' of his arrest, the court heard.

Flowers managed to purchase 'unlawful phones' in prison and search for logins to the Ministry of Justice, HMP Wandsworth staff, and the CPS, the court heard. Mr Fenhalls said: 'Whilst in prison Flowers has used online tools used for purchase of breached credentials. It also indicates attempts to access multiple government domains.'

Pickt after-article banner — collaborative shopping lists app with family illustration