Home Technology Dark world of baby-faced hackers who crippled TfL from...
Technology

Dark world of baby-faced hackers who crippled TfL from their bedrooms - costing millions

Dark world of baby-faced hackers who crippled TfL from their bedrooms - costing millions
Key Points

Dark world of baby-faced hackers who crippled TfL from their bedrooms - costing millions A pair of 'highly skilled and utterley reckless' hackers have been jailed after managing to crash TfL's systems from their bedrooms - causing travel chaos and millions of pounds in damage These are the faces of the two 'computer loving loners' who caused catastrophic damage to London's travel network, all from the comfort of their own bedrooms. Masterminds in computer hacking, Thalha Jubair, 20, and Owen...

Dark world of baby-faced hackers who crippled TfL from their bedrooms - costing millions A pair of 'highly skilled and utterley reckless' hackers have been jailed after managing to crash TfL's systems from their bedrooms - causing travel chaos and millions of pounds in damage These are the faces of the two 'computer loving loners' who caused catastrophic damage to London's travel network, all from the comfort of their own bedrooms. Masterminds in computer hacking, Thalha Jubair, 20, and Owen Flowers, 18, immersed themselves into the dark online world of cyber crime, making it their mission to cause widespread destruction to Transport for London (TfL). The "extremely serious" breach cost TfL a staggering £29million, with the young hackers managing to "hold the keys to the kingdom" for four days between August 31 and September 3, 2024. With their skills and access, they could have stopped TfL altogether. This week, the duo were sentenced to five and a half years in prison for the sophisticated attack, which left all 27,000 TfL employees needing to reset their passwords in person. Jubair and Flowers both pleaded guilty in June. The 16-hour hack, which the criminals livestreamed online, halted live tube arrival times on the TfL Go app and website and stopped TfL from processing payments on the Oyster and contactless apps. A total of seven million commuters had their data stolen as a result of the attack. A total of 148 technology systems became inoperable, with services including Dial-a-ride - used by disabled and vulnerable passengers - heavily disrupted. Working through the night to delve deeper into the network - and to maximise their chances of not being discovered by staff - the duo started their hack by getting an unnamed co-conspirator to call the TfL helpdesk with stolen login details, pretending to be an employee struggling to access the network remotely. They tricked the helpdesk into resetting the password for them, the court heard. The hackers then logged on to Microsoft Azure and began "using TfL's own systems to hack itself" as they moved up through the system. Flowers was livestreaming Jubair throughout, with the pair constantly communicating via Telegram. At one point during the attack, Flowers messaged Jubair saying: "U won't be laughing when ur sat in prison." Flowers and Jubair, who were both teenagers when the crime took place, downloaded millions of lines of data and created multiple back doors within TfL's systems. They even searched through TfL's customer database for celebrities. To conceal the origin of the attack, they used remote servers and then created virtual machines within the TfL system to destroy evidence. The prosecution underlined a potential loss of billions to the UK if the hackers had locked or destroyed the central TfL system. Childhoods and chilling move into cybercrime Jubair lived with his parents in a council flat in Bow, east London, while Flowers lived with his grandmother and uncle in a three-bed house in Walsall, West Midlands. It's believed Flowers would spend most of his time cooped up in his bedroom playing video games and using chat forums, similarly to Jubair, who also was an avid gamer. Jubair would cause disruption in the gaming world by stealing other players usernames shortly before he fell into the criminal underworld. His father is a care worker and his mother gave up her job to become a full-time carer for her son - who was a hacker from a young age. Passing his GCSEs at the local school, he didn't go to college or sixth form but always had an avid fascination with gaming and computers. Jubair, meanwhile, was taught how to use a smartphone at just four-years-old and was given a laptop by the age of six. He was writing his own computer programs by 10 and by 13, he entered into the sinister world of hacking. As a teenager, Jubair was convicted of 22 offences - with 13 counts of fraud, two of unauthorised access to a computer, one of obtaining access to a computer and one of blackmail. He was also convicted of stalking two young women and hacking into a City of London police server. He is also wanted in the US in connection with cyber crimes against 47 US-based victims, which allegedly led to $115 million paid in ransoms to Jubair and his associates. Meanwhile Flowers was also known to police since the age of 16, being served a cease-and-desist notice issued by West Midlands police in October 2023 for making hoax calls to report serious crimes to emergency services. He also turned down an offer of training to guide him away from cybercrime after he was arrested in September 2024. At that time, his laptop was found in the process of hacking two US healthcare systems. Those hacks were only stopped because of the "fortuitous timing" of his arrest. Woolwich Crown Court heard that both defendants have been diagnosed with autism, and Jubair has depression and a severe mood disorder. Jubair had tried to kill himself and from a young age was "isolated and bullied at school". Both young men admitted conspiracy to commit unauthorised acts in relation to a computer causing or creating risk of serious damage. Flowers also admitted two counts of conspiracy to commit unauthorised acts in relation to a computer with intent to impair, in relation to the healthcare systems. Footage shows Flowers laughing as he is arrested for the hack and put in the back of a police vehicle. He is seen looking into the camera before smiling and laughing. Following his initial arrest, Flowers was arrested again for a bail breach relating to non-compliance with conditions concerning his device usage. Jubair was also charged for failing to disclose the pin or passwords for devices seized from him. Making millions At the height of their crimes, the pair came into huge amounts of money. They were part of a loose collective of hackers known as Scattered Spider, who police suspect are behind a number of recent cyberattacks on Jaguar Land Rover and retailers including Marks & Spencer. In a previous hearing, the court heard how $10m (£7.5m) was moved from Jubair's crypto wallets after he was released from custody in March last year and $200m-worth of crypto had also moved through accounts belonging to him. While Flowers had $7.1m, including crypto, in accounts - despite having no source of income. But both teens were careful with splashing their cash - until it came to food deliveries. One particular food order by Jubair exposed his true identity to US authorities - a schoolboy error from someone hidden in the depths of the dark cybercrime world. He had recklessly paid for a food order using gift cards bought with crypto from an account that allegedly stored ransomware payments. From this payment, authorities were able to track the address of where the food was being delivered. Their participation in the Scattered Spider group may have earned them millions of dollars in cryptocurrency, but their convictions have "effectively halted the group's criminal activity" according to the National Crime Agency (NCA). Experts have previously pointed out that cyber attacks like Flowers and Jubair's aren't normally for financial gain, but more for bragging rights. Defending Jubair, Paul Keleher KC compared his client to a "modern day Oliver Twist" who had been groomed from a young age to use his skills for hacking. He said: "They recruited young children to use their nimble fingers and nimble feet to steal from people." Mark Fenhalls KC, prosecuting, said: "These two young men are highly skilled with computers and capable of wreaking havoc and you may think wholly indifferent to the consequences for the public and the potential suffering and costs to others." TfL damages Along with the £29 million in damages from disruption to services and operational work, TfL says the incident cost £10 million in lost income. "They are both experienced and talented hackers who were together in concert with others to attack TfL," said Mr Fenhalls. The prosecutor added that the hackers "could have shut out and shut down TfL completely" as they unlocked the "highest privileged access" in the system, known as "the keys to the kingdom". A TfL victim impact statement read out in court said: "It is possible that access could have been sufficient to enable the actor to cause catastrophic damage to many technology systems, which would have led to significant and extended transport service degradation and disruption. "Such widespread disruption would have had a serious impact on the travelling public, including for those accessing education, healthcare and other essential services, and London's economy." Sentencing the pair, Mr Justice Turner said the attack was "primarily motivated by selfish bravado, heedless of the severe consequences to others". The NCA said the rise of young hackers in the UK as one of the biggest threats to the nation's cyber security.
TfL (ORG) London (LOCATION) Thalha Jubair (PERSON) Owen Flowers (PERSON) Transport for London (LOCATION) Microsoft Azure (ORG) UK (LOCATION) Bow (LOCATION)
Originally published by Daily Mirror Read original →