Owen Flowers, a teenager from Walsall, masterminded a sophisticated cyber attack that has been described as Britain’s biggest ever cybercrime case, causing £29 million in public sector disruption. Operating from the home he shared with his grandmother and uncle, Flowers teamed up with accomplice Thalha Jubair, who coordinated from London to launch a coordinated four-day assault on Transport for London (TfL).
Despite only attracting a small online audience of three during the live-streamed hacking—broadcast by Jubair—the operation caused widespread havoc. TfL was forced to sever all internet connectivity to its systems in a desperate attempt to halt the infiltration, a move prosecutors described as crucial to prevent a catastrophic shutdown. Had the attackers succeeded fully, losses could have soared to an estimated £56 billion.
Police arrested Flowers at his family home as he was actively hacking into two US healthcare systems, SSM Health and Sutter Health. His laptop contained evidence of ongoing cyber intrusions, underscoring the extent of his criminal activity. The 17-year-old denied involvement initially but later confessed alongside Jubair.
READ MORE: Argentina Avoids World Cup Disqualification Despite Falklands Banner Controversy
READ MORE: Open Date Announced for Newly Transformed Maki and Ramen Restaurant in Birmingham
Flowers, known to authorities but without previous convictions, had exhibited troubling online behavior, including making hoax emergency calls. He was previously issued a cease and desist notice and declined to engage with the UK’s Cyber Choices programme aimed at diverting young cyber offenders.
Described in court as an “accomplished hacker” motivated by notoriety rather than financial gain, Flowers spent much of his time isolated and gaming online. Defense barrister Adam Davis cited Flowers' difficult childhood and social isolation as factors influencing his offending.
While on remand, Flowers continued hacking activities, communicating advice to others and attempting access to multiple government domains. His phone records revealed continued connections to tools linked to cybercrime, including encrypted platforms, cryptocurrency software, and VPNs.
Both Flowers and Jubair, aged 18 and 20 respectively at sentencing, were connected to the hacking collective Scattered Spider—a group previously linked to attacks on major UK firms. Their conviction followed an international cooperative investigation involving the National Crime Agency, Europol, the Australian Federal Police, and the FBI.
In court, Mr Justice Turner acknowledged the defendants’ technical skill but condemned their reckless and selfish actions, which severely disrupted TfL’s services including concessionary travel cards, Dial-a-Ride bookings, and contactless payment systems. All 27,000 TfL staff had to reset passwords as a result.
The judge noted the attacks exploited social engineering tactics and sophisticated software to breach TfL’s internal systems, causing significant personal data exposure and operational disruption, though avoiding a complete network shutdown.
Both were sentenced to five years and six months in prison, highlighting the serious consequences of cybercriminal activity regardless of age or personal circumstances.