Teen Suspected of Scattered Spider Links Extradited to U.S. on Hacking Charges

A 19-year-old man accused of taking part in the Scattered Spider hacking collective has been extradited from Finland to the United States to face federal charges, according to the U.S. Department of J...

A 19-year-old man accused of taking part in the Scattered Spider hacking collective has been extradited from Finland to the United States to face federal charges, according to the U.S. Department of Justice. Prosecutors say Peter Stokes, a dual U.S. and Estonian citizen, is charged with conspiracy, computer intrusion, and fraud.

Stokes appeared in federal court in Chicago on June 30 and was ordered held in custody. Finnish authorities arrested him in April after receiving an Interpol Red Notice, and he was transferred to U.S. custody in late June. Court filings say Stokes used the online alias “Bouquet” and was involved in multiple intrusions, including incidents that allegedly began when he was still a minor.

One of the cases described by investigators involved a luxury jewelry company in May 2025. Prosecutors allege Stokes and others broke into the retailer’s network, copied sensitive data, and demanded roughly $8 million in cryptocurrency. The company did not pay, removed the intruders, and later spent millions of dollars on remediation and recovery work.

Scattered Spider’s tactics

Scattered Spider is widely viewed as a loose, English-speaking cybercrime group made up largely of young operators across the U.S., U.K., and Europe. Security researchers say the group is better known for social engineering than for technical exploits. Its members typically impersonate employees, call help desks, and attempt to persuade staff to reset passwords or approve unauthorized access.

Once inside a target environment, the attackers often steal data and threaten to publish it unless a ransom is paid. The group has been linked to major incidents involving casinos, retailers, insurers, and airlines, and is also tracked under names including Octo Tempest, UNC3944, and 0ktapus.

A wider law-enforcement push

Stokes’ extradition comes amid a broader international crackdown on individuals associated with the group. Several other alleged or admitted members have recently faced charges or sentencing in the U.S. and U.K., including cases tied to phishing campaigns, cryptocurrency theft, and intrusions at transportation and healthcare organizations.

  • Investigators say the group has carried out extensive network intrusions tied to ransom demands.
  • Recent cases suggest authorities are increasingly able to match online aliases to real-world identities.
  • Security firms continue to warn that the same social engineering methods remain effective against poorly protected help desks.

Although Stokes is presumed innocent unless proven guilty, prosecutors and researchers say the case reflects a broader trend: coordinated law-enforcement efforts are beginning to catch up with crews that once relied on anonymity, mobility, and social engineering to stay ahead of investigators.