Peter Stokes, a 19-year-old with dual U.S. and Estonian citizenship, was extradited from Finland to Chicago this week to face federal charges connected to alleged participation in the Scattered Spider cybercrime group. Stokes made his initial appearance Tuesday in the Northern District of Illinois, according to the Department of Justice.
The FBI criminal complaint charges Stokes with conspiracy, cyber intrusion, and fraud. The central incident involves a breach of an unidentified luxury jewelry retailer, referred to as Company F, on or around May 12, 2025. Investigators allege that Stokes and other Scattered Spider members stole data from the company and demanded an $8 million ransom in cryptocurrency. The company declined to pay, but the FBI estimates it sustained roughly $2 million in losses from business disruption, investigation, and remediation costs, with further losses anticipated.
Social Engineering at the Core
The attack relied heavily on social engineering. According to the complaint, suspects used Google Voice numbers to call the company’s IT help desk, impersonating employees to request password and multifactor authentication resets. Within two to three hours, three user accounts were compromised, including two belonging to IT administrators with access to high-privilege systems.
The attackers then used ngrok, a legitimate developer tool for managing internet traffic, to establish persistent unauthorized access to the company’s data center. The complaint also accuses Stokes of gaining unauthorized access in March 2023 to an online communications platform identified only as Company H.
Background and Arrest
Stokes allegedly operated under the aliases “Bouquet,” “Spencer,” and “Jordan.” Finnish authorities arrested him in April following an Interpol Red Notice. His extradition this week marks one of several enforcement actions targeting members of Scattered Spider, a loosely affiliated, English-speaking group that investigators have linked to SMS phishing campaigns, breaches of major U.S. casinos, unauthorized access to a federal court system, and a significant network disruption affecting London’s transit agency.
The U.S. government estimates Scattered Spider has conducted more than 100 network intrusions and collected over $100 million in ransom payments. Stokes remained in law enforcement custody following Tuesday’s court appearance.
