A young individual accused of being part of the hacker group Scattered Spider has been extradited from Finland to the United States to face charges of conspiracy, computer intrusion, and fraud, as confirmed by the U.S. Department of Justice on July 1.
Peter Stokes, a 19-year-old with dual U.S. and Estonian citizenship, appeared in a federal court in Chicago on June 30, where he was ordered to remain in custody.
In April, Finnish authorities arrested him based on an Interpol Red Notice, leading to his extradition at the end of June. This arrest is part of a series aimed at a group responsible for breaches in various sectors such as casinos, retailers, and airlines.
Court documents reveal that Stokes, known online as “Bouquet,” was involved in at least four intrusions, with the first occurring when he was only 16 years old. One notable incident took place in May 2025 when he and accomplices hacked into a luxury jewelry retailer, stole data, and demanded around $8 million in cryptocurrency as ransom.
When the retailer refused to pay, Stokes and his group were removed, and the retailer had to spend over $2 million on cleanup. Finnish authorities seized two 2-terabyte hard drives from Stokes when he was apprehended at Helsinki airport trying to board a flight to Japan.
Unveiling Scattered Spider
Scattered Spider is not your typical criminal organization but rather a loosely affiliated group primarily made up of young individuals, many of whom are teenagers, scattered across the U.S., U.K., and Europe.
Also known as Octo Tempest, UNC3944, and 0ktapus, the group’s modus operandi revolves around social engineering rather than technical hacking. Their approach involves tricking employees by posing as legitimate users locked out of their accounts, convincing staff to reset passwords or grant unauthorized access. Once inside, they threaten to leak sensitive information unless a ransom is paid.
The group gained notoriety for their 2023 cyberattacks on MGM Resorts and Caesars Entertainment, causing disruptions to MGM’s operations. Subsequent attacks targeted prominent U.K. retailers like Marks & Spencer, Harrods, and Co-op, followed by U.S. insurers and airlines, demonstrating a systematic progression through different industries.
Assistant Attorney General A. Tysen Duva stated that Scattered Spider has been involved in more than 100 network intrusions, resulting in over $100 million in ransom payments.
Crackdown on Cybercrime
Stokes’ apprehension is part of a broader crackdown on the activities of Scattered Spider, transitioning from anonymous online handles to real-world identities with legal consequences. Recent cases involving members of the group include:
- Tyler Buchanan, a Scottish national, pleaded guilty in a U.S. court in April 2026 to fraud and identity theft, admitting to stealing millions in cryptocurrency through phishing campaigns targeting companies like Twilio and LastPass.
- Noah Urban from Florida received a 10-year sentence in August 2025 and was ordered to repay approximately $13 million.
- Thalha Jubair and Owen Flowers, both from the U.K., pleaded guilty in June 2026 to a 2024 attack on Transport for London and other cybercrimes involving U.S. health systems.
Enhancing Cybersecurity
Despite the arrests, the threat posed by groups like Scattered Spider persists, with other criminal organizations replicating their tactics. Security experts recommend focusing on strengthening identity verification processes and implementing safeguards to prevent phishing attacks.
A joint U.S. and international advisory emphasizes the importance of monitoring chat platforms within a company’s network to detect and respond to potential breaches effectively.
While Stokes is innocent until proven guilty, the seizure of electronic devices in Helsinki could uncover further leads in ongoing investigations. The legal actions against Scattered Spider members underscore the shift towards holding cybercriminals accountable, regardless of their age or geographic location.

