Two British nationals have pleaded guilty to orchestrating a £39 million ransomware attack on Transport for London (TfL) in 2024, an incident that crippled parts of the capital's transport network. The men, aged 24 and 22, admitted their roles at Southwark Crown Court on Tuesday, with sentencing scheduled for August.
Details of the Attack
The cyber assault, which unfolded in September 2024, targeted TfL's IT systems, encrypting critical data and demanding a ransom of approximately £39 million in cryptocurrency. The attack disrupted real-time travel information, contactless payment systems, and internal communications, affecting millions of passengers. According to the Crown Prosecution Service (CPS), the perpetrators exploited vulnerabilities in TfL's network, gaining access through a phishing email sent to an employee.
Prosecutor Sarah Jones stated, "This was a sophisticated and highly damaging attack that not only cost TfL millions in recovery but also caused significant inconvenience to the public. The guilty pleas reflect the strength of the evidence against them."
Impact on London's Transport
The ransomware crippled TfL's operations for over a week, with tube and bus services experiencing delays as staff reverted to manual systems. The financial toll included £25 million in direct ransom demands, plus £14 million in IT recovery costs and lost revenue. TfL reported that 3.5 million passenger journeys were affected daily during the peak of the disruption.
TfL Chief Technology Officer Mark Davis commented, "We have since overhauled our cybersecurity infrastructure, but this incident was a stark reminder of the threats facing public services. We are grateful for the swift action by law enforcement."
Investigation and Legal Proceedings
The National Crime Agency (NCA) led the investigation, tracing the ransom payments to cryptocurrency wallets linked to the defendants. The pair were arrested in November 2024 after a coordinated operation involving the NCA's Cyber Crime Unit and the Metropolitan Police. They were charged with conspiracy to commit blackmail, unauthorized access to a computer system, and money laundering.
The older defendant, a former IT consultant from Manchester, also admitted to a separate attack on a NHS trust in 2023, while the younger, from Birmingham, had prior convictions for fraud. The court heard that they used encrypted messaging apps to plan the attack and laundered proceeds through overseas accounts.
Broader Implications for Cybersecurity
The case highlights the growing threat of ransomware to critical infrastructure. Security experts estimate that ransomware attacks on UK public services have risen by 40% since 2023, costing billions annually. The NCA has urged organizations to adopt multi-factor authentication and regular backups.
NCA Deputy Director James Turner said, "These guilty pleas send a clear message that cyber criminals will be pursued and brought to justice. We are working with international partners to disrupt the ransomware ecosystem."
Sentencing is set for August 12, with the defendants facing up to 14 years in prison under the Computer Misuse Act.
