Owen Flowers, 18, and Thalha Jubair, 20, were sentenced to five years and six months each at Woolwich Crown Court on Thursday, after pleading guilty to hacking Transport for London’s network in 2024. The Crown Prosecution Service charged both under Section 3ZA of the Computer Misuse Act 1990, recklessly causing a risk of serious damage to human welfare. Flowers also admitted a separate count under Section 3 for conspiring to attack computer systems.

The pair took down TfL’s ticketing and real-time arrival systems for weeks, rendering more than 140 systems inoperable and leaving remediation costs of £29 million, roughly $47 million. Prosecutors say they’re the first defendants convicted under Section 3ZA, and the National Crime Agency called it the largest cybercrime prosecution ever brought before UK courts.

Flowers and Jubair operated under the Scattered Spider banner, the loose collective tied to breaches at MGM, WestJet, and Okta. Jubair separately faces a US complaint, unsealed by the Justice Department, alleging conspiracy to commit computer fraud, wire fraud, and money laundering tied to roughly 120 intrusions and over $115 million in extorted ransom payments.

This is the pattern with Scattered Spider: no state sponsor, no zero-days, just teenagers running social engineering against helpdesk employees who reset the wrong password. The Computer Misuse Act charge matters because it signals UK prosecutors now treat critical-infrastructure disruption as reckless endangerment, not just fraud. Jubair still faces US extradition proceedings and a separate docket in New Jersey. Scattered Spider’s brand may survive; these two members won’t be using it again soon.

James Okafor