Britain's biggest hack: Extraordinary story behind £29m TfL cyber attack carried out by crypto-millionaire teens from their bedrooms, who were eventually snared by a takeaway order…But are still hacking from jail
•Two teenagers, Thalha Jubair and Owen Flowers, executed a £29 million cyber attack on Transport for London.
•They were caught after Jubair made a takeaway order using cryptocurrency linked to their hacking activities.
•Despite being incarcerated, they continued their cyber activities, with Flowers using a smuggled phone to target government systems.
By REBECCA CAMBER, CRIME AND SECURITY EDITOR Published: 20:51, 15 July 2026 | Updated: 20:59, 15 July 2026 Two teenagers who became Britain’s biggest cyber hackers are facing jail for a £29milllion attack on the London transport network after being caught out by a takeaway order. Thalha Jubair and Owen Flowers took down Transport for London (TfL) in a four-day cyber attack that threatened to cause £56billion of ‘catastrophic damage’. Jubair even spoke of ‘nuking’ access to the system, but TfL managed to ‘pull the plug’ on the network to stop the pair. Now it can be revealed how the duo became Britain’s worst hackers, ransoming companies around the world for tens of millions of pounds, continuing to wreak havoc even behind bars. The prolific pair were members of the notorious Scattered Spider network, which has been linked to attacks on Jaguar Land Rover costing an estimated £1.9billion, a £300million hack of M&S, and attacks on Harrods and the Co-op causing losses of £206million. Even as Flowers, 18, was behind bars, he used a smuggled phone to try to hack into the Crown Prosecution Service, the Ministry of Justice, various Government domains and even the prison he was being held in. Meanwhile, Jubair, now 20, is estimated to have handled £200million in cryptocurrency from ransoming businesses since he became a hacker at the age of 13, US prosecutors believe. Thalha Jubair, 20, is estimated to have handled £200million in cryptocurrency from ransoming businesses since he became a hacker at the age of 13, US prosecutors believe Owen Flowers, 18, used a smuggled phone to try to hack into the Crown Prosecution Service, the Ministry of Justice, various Government domains and even the prison he was being held in Ultimately it was the spending of that cash that was to prove his undoing after Jubair splashed out, not on fast cars or jewellery, but on food takeaways. He bought gift vouchers for a food delivery service using a cryptocurrency wallet containing £27million he and his fellow hackers had allegedly taken in ransom payments from major US companies. The mistake led the FBI right to his door by tracing the takeaways, discovering that one of the most dangerous cyber hackers in Britain was a 17-year-old autistic loner living with his parents in a high-rise block next to a Met Police call handling centre in Tower Hamlets, East London. Yesterday Jubair’s lawyer Paul Keleher, KC, told Woolwich Crown Court that his client was a ‘modern day Oliver Twist’, groomed by criminals to hack companies from the age of 13. In a cautionary tale of an ‘online upbringing’, Jubair was given a smart phone at the age of four and he got his first laptop at six from his father, who was a care worker, and from his mother, who worked with children who have special needs. By the age of nine Jubair was writing computer programmes. At 13 he had graduated to hacking after being recruited on gaming platforms such as Roblox. By 15 he had managed to infiltrate the City of London Police systems. Mr Keleher said his client later graduated to becoming the ‘Artful Dodger’, recruiting other young hackers and teaching them tricks. He revelled in his growing reputation online after being bullied and isolated at school. His bedroom in a 22-storey tower block became the unlikely headquarters of a millionaire cyber criminal while Jubair was still at school. In September 2024, Jubair vowed to ‘f*** the railways’ and ‘nuk[e] access’ after compromising the account of a single employee to hack into Transport for London’s systems He started off with SIM-swapping – when an individual’s mobile phone number is redirected to a hacker, enabling authentication codes to be sent directly to criminals. In 2021, Jubair amassed 700 victims using this method in an attack on BT/EE. By the age of 15 he was part of a teenage hacking group described by prosecutors as ‘online bandits’, claiming tech giants such as Microsoft, Nvidia, Samsung, T-Mobile and Uber among their victims, stealing data and source code, including the unreleased Grand Theft Auto 6 from Rockstar. Despite being under police investigation, Jubair was more worried about his parents finding out, according to messages sent to other hackers. But in the event, he was arrested in his school uniform. In 2023 he was convicted of 22 offences including blackmail, fraud and stalking, receiving an 18-month youth rehabilitation order. But Jubair continued to target major corporations. US prosecutors have linked him and his associates to at least $115million (£86million) in ransom payments, including from a major hack of Las Vegas casinos. Court documents allege that Jubair even hacked the US federal court system by contacting the help desk, impersonating a judge to ask for a password reset, then gaining entry to the judge’s email account. In September 2024, Jubair vowed to ‘f*** the railways’ and ‘nuk[e] access’ after compromising the account of a single employee to hack into Transport for London’s systems. Although buses and tubes were kept running, the breach disrupted TfL services for months, affected the personal data of millions of people and left all 28,000 TfL employees needing to reset their passwords in person. The booking system for the Dial-a-Ride buses used by those with disabilities was shut down, and data on live Tube times for apps such as TfL Go and Citymapper was taken offline. Jubair and Flowers hunted celebrity TfL users, but the pair were unable to get into credit card details. When police swooped just hours later, they caught Flowers in the act of hacking two US healthcare companies from his bedroom in Walsall, West Midlands, where he lived with his grandmother. Even in a prison cell he continued to profit from his crimes, receiving £450,000 in Bitcoin which he planned to ‘wash’ for clean cryptocurrency to pay drug debts from smoking cannabis behind bars. Flowers boasted to other hackers that he would be out of prison soon: ‘Bro I’ll get 2 ish years for TfL. Would have done a year by trial. Go home straight away. Right now it’s a section 3za [offence] which is 14 years max [in] prison, but cuz I was youth I won’t get as long as.’ He added: ‘Bro, I’ve been studying law on the side since i got arrested. Studying the judges i might get.’ Perhaps as the pair are sentenced today at Woolwich Crown Court, they may find the judge less sympathetic. As Mr Justice Turner remarked: ‘There’s no Fagin in this case, it’s a Fagin-less crime.’المصدر: Daily Mail | Source: Daily Mail
→Two teenagers, Thalha Jubair and Owen Flowers, executed a £29 million cyber attack on Transport for London.
→They were caught after Jubair made a takeaway order using cryptocurrency linked to their hacking activities.
ملاحظة تحريرية | Editorial Note: نُشر هذا المقال في الأصل بواسطة Daily Mail. خبر (Khabr) هي منصة إعلامية أردنية مرخّصة تعمل بالذكاء الاصطناعي. نضيف قيمة تحريرية من خلال: تحليل ذكي للأخبار، ملخصات تلقائية، رواية صوتية بالذكاء الاصطناعي، ترجمة متعددة اللغات، وتدقيق الحقائق. هدفنا جعل الأخبار أكثر وضوحاً وسهولةً للقارئ العربي.
This article was originally published by Daily Mail. Khabr is a licensed Jordanian AI-powered news platform (Registration #82086). We add editorial value through: AI-powered news analysis, automated summaries, AI audio narration, multi-language translation (Arabic, English, French, Turkish), and AI fact-checking. Our mission is to make news more accessible and understandable for Arabic-speaking audiences worldwide.
