The US Department of Justice has reportedly filed charges against a 19-year-old alleged member of the hacking collective known as Scattered Spider, following his arrest in Finland earlier this month.
Peter Stokes, a dual citizen of the United States and Estonia known online as “Bouquet,” was apprehended on April 10 at Helsinki Airport while attempting to board a flight to Japan. Authorities say he was carrying multiple electronic devices, including two two-terabyte hard drives, at the time of his arrest.
US prosecutors are now seeking Stokes’ extradition to Chicago, where he faces a six-count criminal complaint including charges of wire fraud, conspiracy, and computer intrusion. The complaint, initially filed under seal in December and later briefly made public, alleges that Stokes was involved in at least four cyberattacks linked to Scattered Spider, some dating back to when he was just 16 years old.
According to investigators, Stokes played a role in breaches that cost victim companies millions of dollars. One incident in May 2025 targeted a major luxury retailer, where hackers allegedly impersonated employees in calls to IT help desks to reset authentication credentials and gain access to internal systems. The attackers later claimed to have stolen large volumes of data and demanded an $8 million ransom. Although the company refused to pay, it still suffered more than $2 million in damages linked to disruption and recovery efforts.
Authorities also said that Stokes had led lavish lifestyle, citing social media posts showing international travel to destinations including Dubai, Thailand, and Mexico, along with stays in high-end hotels and displays of cash and jewelry. Prosecutors allege this lifestyle was funded through cybercrime proceeds.
Scattered Spider (aka 0ktapus, Octo Tempest, UNC3944, Starfraud, Scatter Swine, and Muddled Libra), which emerged around 2022, is a loosely organized and highly adaptive hacking collective formed largely of teenagers and young adults from the US and UK. Scattered Spider operates as a decentralized network, with members collaborating in smaller clusters and often communicating via encrypted messaging platforms.
Scattered Spider uses social engineering to conduct phishing campaigns via SMS (so-called “smishing”), tricking victims into entering credentials on fake login pages. They are also known for “MFA fatigue” attacks, in which repeated authentication requests are sent to a target until the user approves one out of frustration. In some cases, attackers directly call employees while posing as IT staff to convince them to grant access.
Once inside a network, the group often escalates privileges, accesses sensitive data, and uses the threat of public leaks as leverage for extortion. The group has also conducted cryptocurrency theft and SIM-swapping attacks.
High-profile victims attributed to Scattered Spider include major corporations such as Caesars Entertainment and MGM Resorts, as well as technology firms and service providers like Twilio, Mailchimp, Riot Games, Reddit, and DoorDash. The group has also been linked to attacks on financial institutions and retailers in both the United States and the United Kingdom, including companies like Marks & Spencer, Co-op, and Harrods, WestJet and Jaguar Land Rover.
Earlier this month, a key member of the Scattered Spider cybercrime group pleaded guilty in the US to charges linked to a wide-ranging hacking and fraud scheme that netted millions of dollars in stolen cryptocurrency. Prosecutors say that Tyler Buchanan and his co-conspirators targeted at least a dozen companies and stole more than $8 million from victims across the United States.