Two young men who pleaded guilty on Monday to crippling Transport for London in a cyber-attack that paralysed services for months had been on the radar of law enforcement for years – raising questions about the effectiveness of early interventions in curbing youthful cyber-offending.
Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, admitted carrying out the attack as part of the cyber-crime collective Scattered Spider – a loosely organised gang of young English-speaking hackers linked to dozens of other breaches, including at retailers Marks and Spencer and the Co-op.
“Teen hackers Owen Flowers and Thalha Jubair, known to police for years, pleaded guilty to crippling TfL in a cyber-attack.”
The September 2024 attack on TfL disrupted services for months, compromised the personal data of millions of people and forced all 28,000 employees to reset their passwords in person. The full extent of the financial damage has not been disclosed, but the costs were described as “large”.
Yet Flowers had first come to police attention shortly after turning 16. In October 2023, he was caught carrying out low-level cyber-crime and visited by officers from the West Midlands Regional Cyber Crime Unit. During that visit, Flowers did not engage with officers and was issued a cease and desist order. The police considered enrolling him in the national Cyber Choices programme, which aims to steer young people away from cyber-crime, but decided he was not suitable because he was already under investigation for an offence and was reluctant to cooperate.
Months later, living with his grandmother, Flowers joined Scattered Spider and went on to commit a series of increasingly serious offences that culminated in the TfL attack. He was eventually arrested in September 2024.
The case has prompted the National Crime Agency to call for stronger legal powers. Paul Foster, NCA deputy director and head of its National Cyber Crime Unit, said the case highlighted the challenges posed by “a small number of highly capable offenders” and underscored the need for earlier interventions.
He pointed to proposed Cyber Crime Risk Orders (CCROs), announced by the UK government as part of planned reforms to the Computer Misuse Act. These orders would allow police and courts to place restrictions on individuals considered high risk before they carry out further serious breaches. “We need to enable earlier law enforcement interventions against high-risk cyber-crime offenders,” Foster said.
The case also reveals a gap in understanding among young cyber-criminals. Experts have told the BBC that perpetrators often do not appear to grasp the real-world consequences of their actions – a lesson that Flowers and Jubair are now learning in court.