Scattered Spider duo sentenced to 5.5 years each over the 2024 Transport for London intrusion — court evidence details the helpdesk-vishing/MFA-reset chain
UPDATE · originally covered Two Scattered Spider members plead guilty over the 2024 Transport for London intrusion (2026-06-23)
the guilty-plea entry recorded that two Scattered Spider members admitted the 2024 TfL intrusion but did not carry the access mechanics. The 2026-07-16 sentencing (five years six months each, at Woolwich Crown Court) put the chain on the court record, and it is the reason to revisit this. The pair bought partial TfL employee credentials from criminal forums, then "impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account" and, over multiple attempts, reset the account's 2FA, using the reset credentials for initial and sustained access (The Register, 2026-07-16). The NCA confirmed the impact scale — "a total of 148 systems became inoperable, including critical ones that required significant manual workarounds and delays" (NCA, 2026-07-16) — and TfL later established that data on roughly 7 million users had been accessible, far beyond the ~5,000 initially believed (The Register, 2026-07-16). The CPS put the remediation cost at £29 million (CPS, 2026-07-16).
a total of 148 systems became inoperable, including critical ones that required significant manual workarounds and delays.
Flowers and Jubair purchased partial TfL credentials from "well-known criminal forums" and used those to reset the 2FA on employee accounts, a process that took multiple attempts.
Woolwich Crown Court heard that the pair impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account.
ATT&CK mapping
4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Reconnaissance TA0043
T1589.001Gather Victim Identity Information: Credentials
Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
Initial Access TA0001
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
T1566.004Phishing: Spearphishing Voice
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
Persistence TA0003
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
T1098Account Manipulation
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
Privilege Escalation TA0004
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
T1098Account Manipulation
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
Stealth TA0005
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Sources
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.