Two alleged members of the cybercrime gang Scattered Spider pleaded guilty Monday to carrying out a cyberattack against London's transport authority that disrupted services for months, exposed customer data and cost the organization tens of millions of pounds.

The U.K.'s National Crime Agency (NCA) said Thalha Jubair, 20, from East London, and Owen Flowers, 18, from England's West Midlands, admitted infiltrating the network of Transport for London in September 2024.

Both men had been scheduled to stand trial on Monday but changed their pleas on the first day of proceedings. Sentencing is scheduled for July 16.

Authorities said the pair were members of Scattered Spider, a loosely organized network of predominantly English-speaking cybercriminals linked to a series of high-profile intrusions targeting major U.S. and European companies across sectors including aviation, insurance and retail. U.S. prosecutors have previously alleged that the group extorted at least $115 million from victims over a three-year period.

The attack forced all 28,000 TfL employees to reset their passwords in person and resulted in about 29 million pounds ($38 million) in losses and recovery costs, according to the NCA. Disruptions continued for several months after the initial intrusion.

The breach also affected TfL's customer refund services and exposed data held in the refund system for Oyster,  the smart-ticketing platform used across London's public transportation network. The incident also disrupted applications for discounted Oyster photocards used by children and young people.

Flowers was arrested shortly after the attack in September 2024. Investigators searching his home seized laptops, desktop computers, hard drives and USB devices, the NCA said.

One laptop contained a screenshot showing connections to TfL infrastructure and evidence that Flowers had accessed an online marketplace selling stolen credentials, the NCA said. Investigators also recovered videos allegedly showing Jubair accessing TfL systems during the intrusion.

According to the NCA, the pair communicated via Telegram and collaborated through a shared online workspace while carrying out the attack.

Authorities said evidence uncovered during the investigation also indicated that the networks of U.S. healthcare providers SSM Health Care Corporation and Sutter Health had been infiltrated and damaged. The NCA did not provide further details, but both companies reported large data breaches in 2023.

Flowers later breached his bail conditions on two occasions, while Jubair faced an additional charge for failing to disclose passwords or PINs for seized devices.

The defendants faced some of the most serious charges available under British cybercrime legislation, including conspiracy to commit unauthorized computer acts that create a risk of serious damage to human welfare or national security — offenses that carry a maximum sentence of life imprisonment.

"This has been a lengthy, highly complex and painstaking investigation," Paul Foster, head of the NCA's National Cyber Crime Unit, said in a statement.