A 19-year-old dual United States and Estonian citizen has been extradited to the US to face federal charges alleging membership in the Scattered Spider hacking collective. Peter Stokes, who operated under the online handles “Bouquet,” “Spencer,” and “Jordan,” was arrested in Finland on April 10 while attempting to board a flight to Japan at Helsinki’s airport. He appeared in federal court in Chicago and has remained in custody.

According to court documents, Stokes is accused of participating in at least four Scattered Spider intrusions, the earliest of which occurred in March 2023 when he was 16 years old and targeted an online communications platform. His alleged involvement extended into 2025, including a breach of an unnamed multibillion-dollar luxury goods retailer in May 2025.

Social Engineering and Extortion

In the 2025 retailer incident, attackers allegedly called the company’s IT helpdesk while impersonating employees, successfully resetting credentials and gaining access to administrator accounts. The group then demanded an $8 million ransom, claiming to possess 100 gigabytes of stolen data. The company refused to pay but still incurred more than $2 million in operational disruption and remediation costs.

Assistant Attorney General A. Tysen Duva stated that the criminal complaint ties Stokes to a group involved in over 100 network intrusions, resulting in more than $100 million in ransom payments plus additional victim losses. FBI Cyber Division Assistant Director Brett Leatherman noted the group has repeatedly targeted US companies, extorting employees and disrupting essential operations.

Scattered Spider Tactics and Scope

Scattered Spider, also tracked under designations including 0ktapus, Octo Tempest, UNC3944, and Muddled Libra, emerged in 2022 as a loosely organized collective primarily composed of teenagers and young adults from the US and UK. The group is well known for combining social engineering, MFA fatigue attacks, and SMS-based credential phishing to compromise enterprise environments.

Prosecutors noted the group commonly employs the Genymobile Android emulator during MFA attacks and has deployed the DragonForce encryptor in ransomware campaigns against UK retail targets. High-profile victims attributed to the collective include Caesars, MGM Resorts, Riot Games, Transport for London, Marks and Spencer, Co-op, Harrods, WestJet, and Jaguar Land Rover, among others.

Stokes faces charges of fraud, conspiracy, and computer intrusion. His extradition follows a broader pattern of law enforcement action against Scattered Spider members over the past year.