"Over 100 network intrusions, resulting in more than $100 million in ransom payments," Assistant Attorney General A. Tysen Duva said, summing up a campaign prosecutors say has left businesses and investigators scrambling.
Extradition, court appearance, and charges against Peter Stokes
Peter Stokes, 19, a dual U.S. and Estonian citizen, was extradited from Finland to the United States and appeared in a Chicago federal court on June 30, where a judge ordered him held in custody, the U.S. Department of Justice announced on July 1. Finnish police arrested Stokes in April on an Interpol Red Notice and transferred him to U.S. custody in late June. He faces federal charges of conspiracy, computer intrusion, and fraud.
Allegations, online handle, and seized evidence
Court records identify Stokes by the online handle "Bouquet" and describe at least four intrusions, the first occurring when he was 16. Prosecutors allege one of the intrusions, in May 2025, targeted a luxury jewelry retailer: Stokes and others reportedly copied the retailer's data and demanded about $8 million in cryptocurrency. According to the records, the retailer refused to pay, evicted the intruders, and spent at least $2 million on cleanup. Finnish officers seized two 2-terabyte hard drives when they stopped Stokes at Helsinki airport as he tried to board a flight to Japan.
Scattered Spider's tradecraft and known targets
Scattered Spider is described as a loose, mostly English-speaking group of young people spread across the U.S., U.K., and Europe. Security companies also track the crew under the names Octo Tempest, UNC3944, and 0ktapus. Rather than exploiting software flaws, the group's primary method is social engineering: members phone a company's IT help desk, impersonate a locked-out worker, and persuade staff to reset passwords or approve logins. Once inside, the attackers copy files and threaten to leak them unless paid.
The group is best known for the 2023 attacks on MGM Resorts and Caesars Entertainment that shut down MGM's casino and hotel systems. Through 2025, the crew was linked to attacks on U.K. retailers including Marks & Spencer, Harrods, and Co-op, then moved to U.S. insurers and later airlines — a pattern security researchers describe as moving through one sector at a time.
A wider crackdown and related prosecutions
Stokes' case is one of several prosecutions that have put real names, countries, and court dates to accounts long known only by handles. Recent cases cited by investigators and prosecutors include:
- Tyler Buchanan, 24, from Scotland, who pleaded guilty in a U.S. court in April 2026 to fraud and identity theft. He admitted stealing at least $8 million in cryptocurrency through phishing campaigns that hit companies including Twilio and LastPass, and faces a statutory maximum of 22 years in prison.
- Noah Urban, a member from Florida, who was sentenced in August 2025 to 10 years and ordered to repay about $13 million.
- Thalha Jubair and Owen Flowers, two individuals in the U.K., who pleaded guilty in June 2026 to a 2024 attack on Transport for London. Flowers also admitted conspiring to hack two U.S. health systems, SSM Health and Sutter Health.
How technologists, investigators, and companies are responding
Technologists and security teams: The weak point identified in these intrusions is the help desk, not the firewall. Recommended technical defenses cited in the reporting include stricter identity checks before password resets and the adoption of sign‑in keys that phishing cannot steal. Mandiant reported a lull in attacks tied to the group after the 2025 arrests but warned that other crews are copying the playbook.
Investigators and law enforcement: The hard drives seized in Helsinki matter as much as indictments, prosecutors note — devices taken from one member have in past cases led to others. The April arrest on an Interpol Red Notice and the late‑June extradition underline the international cooperation element investigators are using to connect handles to people.
Affected enterprises and procurement leaders: Companies that were targeted spent significant sums recovering from breaches — one jewelry retailer spent at least $2 million on cleanup after refusing an $8 million ransom demand. A joint U.S. and international advisory also warned that intruders, once inside, often lurk in a company's chat tools and may join calls to observe incident response efforts.
Stokes is presumed innocent and his case must still go to trial, but the arc of prosecutions over the past year has begun to turn handles into court dockets. The practical lesson is already plain: social engineering that once allowed young, scattered actors to operate with impunity is now increasingly traceable — and the devices seized while they travel are proving as valuable to investigators as the charges filed in court.
https://thehackernews.com/2026/07/19-year-old-scattered-spider-suspect.html




