Two British teenagers admitted on the first day of their trial to hacking London's transport network and, in one case, two American healthcare systems, in one of the most consequential Scattered Spider prosecutions to date.
What happened
Owen Flowers, 18, of Walsall, West Midlands, and Thalha Jubair, 20, of East London, pleaded guilty on June 22, 2026, at Woolwich Crown Court to conspiring to commit unauthorized access to Transport for London's (TfL) computer systems. According to Krebs on Security, both men were members of Scattered Spider, an English-speaking cybercriminal collective linked to attacks on more than 120 organizations across telecommunications, finance, aviation, and healthcare. Flowers additionally admitted to conspiring to commit unauthorized access to the networks of SSM Health Care Corporation and Sutter Health, two major US healthcare providers, in September 2024. The TfL attack, which ran from August 31 to September 3, 2024, forced all 28,000 TfL employees to attend a physical office to complete mandatory password resets and cost the transport authority approximately $38 million in losses and recovery costs. Both men are scheduled for a two-day sentencing hearing beginning July 15, 2026. Jubair also faces separate charges in the United States, where New Jersey prosecutors have charged him with computer fraud conspiracy, wire fraud, and money laundering conspiracy relating to Scattered Spider attacks on at least 120 computer networks.
Going deeper
The NCA and City of London Police arrested both men at their home addresses on September 16, 2024. Investigators recovered laptops, desktop computers, hard drives, and USB sticks from their residences. According to Infosecurity Magazine, one Acer laptop found at Flowers' home contained a screenshot showing network connectivity to TfL infrastructure, and investigators also found evidence he had accessed an online marketplace selling stolen login credentials from prior breaches. Screen-recorded videos on Jubair's devices showed him actively accessing TfL systems during the intrusion, and Telegram communications between the pair during the attack confirmed their coordination. According to The Record, Jubair co-ran a Telegram channel called Star Chat, used by a SIM-swapping group, a technique where attackers transfer a victim's phone number to a device they control, allowing them to intercept calls, texts, and one-time authentication codes, that targeted employees at major wireless providers in the US and UK. Both men were teenagers at the time of the attacks, with Jubair having been active in cybercriminal networks since at least age 15.
What was said
NCA Deputy Director Paul Foster, head of the National Cyber Crime Unit, stated in the NCA press release, "This has been a lengthy, highly complex, and painstaking investigation. The perseverance and meticulousness of our officers, and the work of our partner organisations meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending. The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider." Foster added that the result would not have been possible without TfL's early engagement with law enforcement, and urged other organizations to report incidents promptly.
In the know
The Scattered Spider prosecutions are accumulating across multiple countries. According to Krebs on Security, Tyler "Tylerb" Buchanan, 24, a British national and Scattered Spider member, pleaded guilty in April 2026 to wire fraud conspiracy and aggravated identity theft for his role in the group's 2022 SMS phishing campaign. Noah Michael Urban, 20, a Florida-based member, was sentenced to 10 years in federal prison in August 2025 and ordered to pay $13 million in restitution after pleading guilty to wire fraud and conspiracy charges. Three additional alleged Scattered Spider members, Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans, still face charges in the US. US prosecutors have previously alleged the group extorted at least $115 million from victims over three years.
The big picture
The SSM Health Care Corporation and Sutter Health breaches confirmed in Flowers' guilty plea add two major US healthcare organizations to Scattered Spider's documented victim list. The group's approach to healthcare targets follows the same playbook applied to telecommunications and retail where social engineering attacks target employees directly rather than exploiting technical vulnerabilities, using credential theft, SIM swapping, and vishing to impersonate IT support and gain initial access. Healthcare environments are particularly exposed to this approach because clinical and administrative staff regularly receive IT support calls and are conditioned to respond quickly to access and credential requests. According to Paubox's Top 3 Healthcare Email Attacks report, only 5% of known phishing and social engineering attacks are reported by employees to security teams, giving groups like Scattered Spider an extended window to operate before detection.
FAQs
What is Scattered Spider, and how does it differ from other ransomware groups?
Scattered Spider is an English-speaking collective, unusual in a cybercriminal landscape dominated by Russian-speaking groups, whose members are primarily based in the US, UK, and Canada. The group specializes in social engineering rather than technical exploits, impersonating IT support staff to trick employees into handing over credentials or granting remote access, then using that access to move through networks and deploy ransomware or exfiltrate data.
What is SIM swapping, and how does it bypass multi-factor authentication?
SIM swapping transfers a victim's mobile phone number to a device controlled by the attacker, typically by convincing a carrier's support staff to reassign the number. Once the number is redirected, the attacker receives the victim's calls and text messages, including one-time codes sent as part of SMS-based multi-factor authentication, effectively bypassing that security control entirely.
Why did Flowers and Jubair plead guilty on the first day of trial?
Both men changed their pleas on June 22, the first day of what had been scheduled as a six-week trial. Guilty pleas at trial commencement typically reflect the weight of evidence against defendants and negotiations that produce a more favorable sentencing outcome than a conviction after a full trial would.
What do the healthcare breaches admitted by Flowers mean for SSM Health and Sutter Health patients?
SSM Health Care Corporation and Sutter Health both reported data breaches in 2024. Flowers' guilty plea confirms that the network intrusions at both organizations were connected to Scattered Spider, providing law enforcement with confirmed attribution and giving affected patients additional context about the nature and source of their exposure.
What should healthcare organizations do differently given Scattered Spider's social engineering approach?
Technical controls alone do not defend against an attacker who calls the IT help desk impersonating an employee. Organizations should implement strict identity verification protocols for any help desk call requesting a password reset or credential change, train staff specifically on vishing scenarios where callers claim to be IT support, and require multi-factor authentication methods that are resistant to SIM swapping, such as hardware security keys, rather than SMS-based codes.
