Two members of the Scattered Spider cybercrime collective have admitted launching a cyberattack against Transport for London (TfL) that caused millions in damages.Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were due to stand trial for computer hacking offences at Woolwich Crown Court on Monday but changed their pleas to guilty on the first day of what was scheduled to be a six-week trial.Sentencing for the pair is due to take place in the same outer London court on July 22.Mind the gapJubair and Flowers compromised TfL’s network between Aug. 31 and Sept. 3, 2024, in an attack that disrupted in-station services such as information boards, and online services such as TfL’s refunds portal and Oyster photocard application systems for young people.The same attack also meant all 28,000 employees of the London transport network were obliged to attend a TfL office for a password reset. A BBC investigation in March 2026 revealed that the hack had exposed the names, email addresses, mobile phone numbers and physical addresses of an estimated 10 million people.TfL suffered a reported £29 million ($38.2 million) in losses, incident response, and other recovery costs.The attack was investigated by the UK’s National Crime Agency and City of London Police. Police investigators quickly identified Flowers as a suspect prior to his arrest at his home on Sept. 6, 2024.Forensic analysis on the laptops, tower computers, hard drives, and USB sticks seized at the time of Flower’s arrest uncovered evidence that he had also broken into the systems of US healthcare companies SSM Health Care and Sutter Health.One Acer laptop seized during the arrest held videos showing Jubair accessing TfL systems during the attack, according to a police statement on the case. The pair were messaging each other through the Telegram messaging service as well as using a common workspace that they shared with other cybercriminals.Web of destructionThe Scattered Spider group burst onto the scene with ransomware attacks against Caesars Entertainment and MGM Resorts in 2023. Attacks against a wide variety of targets across multiple industries, including retail, hospitality, telecoms, and aviation, followed.UK attacks linked to Scattered Spider include high-profile attacks on Jaguar Land Rover and retailer Marks and Spencer.Scattered Spider is best viewed as an overlapping network of largely English-speaking crews and affiliates rather than a tightly knit organisation.The group’s tradecraft is characterised by social engineering, help-desk impersonation, SIM swapping in the furtherance of ransomware-enabled extortion, and other scams. In particular, Scattered Spider targeted outsourced IT support and help-desk providers to reset credentials and bypass multi-factor authentication controls to expand their access into victim’s networks.A loose alliance or collective of cybercrime groups including Scattered Spider, Lapsus$, and ShinyHunters was established last year.Jubair and Flowers are among a growing number of members of the group to be convicted for computer crime offences.Tyler Buchanan, a senior figure in the group, was arrested at a Spanish airport in June 2024.Buchanan, 24, of Dundee, Scotland, was extradited to the US and pleaded guilty in April 2026 to a scam that aimed to steal $8 million in virtual currency from at least a dozen companies as well as numerous individuals.Co-conspirator Noah Michael Urban of Palm Coast, Florida, was jailed for 10 years in April 2025 after pleading guilty to aggravated identity theft and wire fraud offences.Other prosecutions remain pending.