British authorities announced the arrest of a 17-year-old male from Walsall in connection with a cyber attack on Transport for London (TfL) that occurred on September 1. The U.K. National Crime Agency (NCA) detained the teenager on September 5, 2024, on suspicion of Computer Misuse Act offenses. After questioning, he was released on bail.
Deputy Director Paul Foster of the NCA’s National Cyber Crime Unit emphasized that attacks on public infrastructure can have severe consequences, but noted the swift response by TfL helped facilitate a prompt investigation, which is still ongoing.
TfL confirmed the breach resulted in unauthorized access to bank account numbers and sort codes of around 5,000 customers, and they will be reaching out to those affected. Although the impact on customers has been minimal so far, the situation continues to develop as investigations proceed.
West Midlands police previously arrested a 17-year-old boy from Walsall in July 2024 in connection with a ransomware attack on MGM Resorts, attributed to the notorious Scattered Spider group. It remains unclear if this arrest is linked to the recent detention of another 17-year-old from Walsall over the Transport for London cyber attack.
In June 2024, a 22-year-old U.K. national was arrested in Spain for alleged involvement in multiple ransomware attacks by Scattered Spider, which is part of a larger collective known as The Com, also tracked as 0ktapus, Octo Tempest, and UNC3944. This loose-knit group has engaged in cybercrime, squatting, and even physical violence.
A recent report by EclecticIQ highlights that Scattered Spider has increasingly targeted cloud infrastructures in the insurance and financial sectors, using sophisticated social engineering techniques, buying stolen credentials, conducting SIM swaps, and exploiting cloud-native tools to gain and maintain access.
Security researcher Arda Büyükkaya noted that Scattered Spider often employs phone-based social engineering tactics like vishing and smishing to trick IT service desks and identity administrators. The group also leverages legitimate cloud tools, such as Azure’s Special Administration Console and Data Factory, to execute commands, move data, and sustain persistence while evading detection.