Alleged Scattered Spider hacker extradited to the United States

A dual United States and Estonian citizen has been extradited to the U.S. to face charges alleging he was a member of the Scattered Spider hacking collective.
19-year-old Peter Stokes (who used the online handles "Bouquet," "Spencer," and "Jordan") was arrested in Finland on April 10 while attempting to board a flight to Japan at Helsinki's airport and is accused of having helped extort millions of dollars from multiple high-profile companies worldwide.
According to court documents, Stokes was involved in at least four Scattered Spider breaches (including a March 2023 hack of an online communication platform, when he was 16 years old) that led to victim companies being asked to pay millions of dollars in ransoms.
The list of victims breached with the suspect's help also includes an unnamed multibillion-dollar "luxury item retailer" in May 2025, when the hackers allegedly called the company's IT helpdesk, posing as employees, to reset credentials and gain access to administrator accounts.
While the threat actors demanded an $8 million ransom, claiming to have 100 gigabytes of stolen data, the company refused to pay. However, it still incurred over $2 million due to operations disruption and remediation costs.
Stokes now faces charges of fraud, conspiracy, and computer intrusion and has remained in custody after appearing in federal court in Chicago on Tuesday.

"The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100 million in ransom payments and millions more in damages to the victims," said Assistant Attorney General A. Tysen Duva on Wednesday.
"Scattered Spider has repeatedly targeted U.S. companies, extorting employees, inflicting millions of dollars in losses, and disrupting essential operations," added Assistant Director Brett Leatherman of the FBI's Cyber Division.
Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, UNC3944, and Muddled Libra) emerged in 2022 as a loosely knit hacking collective mainly composed of teenagers and young adults from the United States and Great Britain.
They are known for using a blend of social engineering, targeted multi-factor authentication (MFA) bombing (aka MFA fatigue), and SMS credential phishing attacks to steal user credentials and sensitive documents for extortion leverage after breaching their targets' networks.
According to prosecutors, they commonly use the Genymobile Android emulator during their MFA attacks and have also deployed DragonForce encryptor in ransomware attacks against UK retail companies.
Scattered Spider's list of victims includes many high-profile organizations, including Caesars, MGM Resorts, Riot Games, DoorDash, Reddit, MailChimp, Twilio, Allianz Life, Transport for London (TfL), multiple UK retailers such as Co-op, Marks & Spencer (M&S), and Harrods, and, more recently, WestJet and Jaguar Land Rover (JLR).
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepapersource: BleepingComputer

