Scattered Spider Member Extradited After Finland Arrest
Peter Stokes, 19, a dual US-Estonian citizen operating under the alias "Bouquet", has been extradited to the United States to face federal criminal charges for his alleged membership in the Scattered Spider hacking collective. Stokes was arrested in Finland in April 2026 while attempting to board a flight to Japan — a detail that underscores both his international footprint and the growing global law enforcement net closing around the group.
He has been indicted on counts of conspiracy, computer intrusion, and fraud. At 19, Stokes is among the youngest defendants charged in connection with the Scattered Spider enterprise.
The Alleged Crime: $8 Million Ransom Demand
Prosecutors allege that in May 2025, Stokes and co-conspirators infiltrated the systems of a luxury jewelry retailer, stole sensitive data, and demanded $8 million in cryptocurrency as ransom. The retailer successfully expelled the attackers and refused to pay — but the incident caused approximately $2 million in business disruption and investigative costs. The victim organization has not been publicly identified.
The attack followed the group's established playbook: social engineering followed by credential theft, network intrusion, data exfiltration, and extortion.
Scattered Spider: A Prolific English-Language Cybercrime Group
Scattered Spider — also tracked as 0ktapus, Muddled Libra, and UNC3944 — has established itself as one of the most disruptive English-language cybercriminal groups of the past several years. The collective is known for its sophisticated social engineering campaigns, particularly targeting identity providers like Okta and Salesforce.
Prosecutors allege the group is collectively responsible for:
- Over 100 confirmed network intrusions
- More than $100 million in ransom payments received
- Breaches of MGM Resorts and Caesars Entertainment in 2023
- The 2022 0ktapus campaign targeting over 130 organizations via SMS phishing
The group primarily targets helpdesk staff, using voice phishing (vishing) and SMS-based social engineering to impersonate employees and bypass multi-factor authentication — a technique that does not require any technical exploit, only convincing human manipulation.
International Prosecutions Accelerating
Stokes's extradition is the latest in a string of prosecutions against Scattered Spider members. Multiple individuals have faced US federal charges in recent years, with several already having pleaded guilty or received prison sentences. The arrest in Finland while attempting to flee to Japan signals that international law enforcement coordination targeting the group has become highly effective.
The case highlights several trends in cybercrime enforcement:
- Younger defendants are increasingly being charged, reflecting the group's recruitment of teenagers and young adults through gaming communities and social networks
- International cooperation is enabling arrests far from US jurisdiction, with Finland, the UK, and other partners sharing intelligence and extraditing suspects
- Prosecution timelines are compressing — the May 2025 incident led to extradition by mid-2026, a relatively fast turnaround for international cybercrime cases
Recommendations for Organizations
Scattered Spider's techniques rely on human vulnerability rather than zero-days, making traditional technical defenses insufficient on their own. Organizations should:
- Implement phishing-resistant MFA (hardware keys, passkeys) rather than SMS or app-based codes that can be social-engineered
- Train helpdesk staff on vishing attacks — particularly impersonation of employees requesting password resets or MFA changes
- Require out-of-band verification for all identity-related changes, using a separate pre-registered contact method
- Monitor for anomalous Okta/Entra ID sign-ins, particularly from new devices or unusual locations
References
- SecurityWeek: Alleged Scattered Spider Hacker Extradited to US
- DOJ Indictment — Peter Stokes (Bouquet), conspiracy and computer fraud charges
- CISA Advisory: Scattered Spider Threat Actor Tactics (AA23-320A)