"The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100 million in ransom payments and millions more in damages to the victims," said Assistant Attorney General A. Tysen Duva.
Arrest and extradition of Peter Stokes
Peter Stokes, a 19-year-old dual United States and Estonian citizen who used the online handles "Bouquet," "Spencer," and "Jordan," was arrested in Finland on April 10 while attempting to board a flight to Japan at Helsinki's airport. He has been extradited to the United States and, after appearing in federal court in Chicago on Tuesday, has remained in custody.
Federal prosecutors say Stokes now faces charges of fraud, conspiracy, and computer intrusion connected to alleged membership in the hacking collective known as Scattered Spider.
Charges and alleged role in Scattered Spider operations
According to court documents cited by prosecutors, Stokes is accused of participating in at least four Scattered Spider breaches, including a March 2023 compromise of an online communication platform when he was 16 years old. Prosecutors link those breaches to extortion demands that sought millions of dollars from victim companies.
Assistant Director Brett Leatherman of the FBI's Cyber Division characterized Scattered Spider as repeatedly targeting U.S. companies: "Scattered Spider has repeatedly targeted U.S. companies, extorting employees, inflicting millions of dollars in losses, and disrupting essential operations." The criminal complaint describes Scattered Spider as responsible for more than 100 network intrusions and more than $100 million in ransom payments.
Tactics attributed to Scattered Spider: social engineering, MFA bombing, Genymobile, DragonForce
Prosecutors and public reporting list several techniques Scattered Spider allegedly uses to breach networks. The group is said to rely heavily on social engineering and targeted multi-factor authentication (MFA) bombing—also called MFA fatigue—to coerce or trick employees into approving authentication prompts.
The complaint also cites SMS credential phishing attacks to capture user credentials and sensitive documents for extortion leverage. Technical artifacts attributed to the group include routine use of the Genymobile Android emulator during MFA attacks, and deployment of the DragonForce encryptor in ransomware attacks directed at UK retail companies.
Victims and financial impact, with a detailed retail example
Prosecutors and the complaint name a long list of high-profile victims attributed to Scattered Spider. Organizations cited include Caesars, MGM Resorts, Riot Games, DoorDash, Reddit, MailChimp, Twilio, Allianz Life, Transport for London (TfL), and multiple UK retailers such as Co-op, Marks & Spencer (M&S), and Harrods. More recent victims listed include WestJet and Jaguar Land Rover (JLR).
One detailed allegation involves an unnamed multibillion-dollar "luxury item retailer" breached in May 2025. Prosecutors say the attackers called the company's IT helpdesk, posed as employees to reset credentials, and gained access to administrator accounts. The group allegedly demanded an $8 million ransom, claiming to possess 100 gigabytes of stolen data; the company refused to pay. Still, prosecutors say the company incurred more than $2 million in losses from operational disruption and remediation costs.
What this means for security teams, multinational retailers, and law enforcement
- Security teams and technologists will watch the case for forensic confirmation of techniques prosecutors describe—particularly the use of MFA bombing and the Genymobile emulator—because those practices shift emphasis back to social-engineering defenses and helpdesk authentication controls.
- Multinational retailers and similarly large enterprises will take note of the May 2025 retail example, which shows how account-reset social engineering can yield administrator access and substantial recovery bills even when ransom demands are declined.
- Law enforcement and prosecutors will view the extradition and federal charging of a young alleged member as part of broader efforts to hold collective actors accountable; the complaint frames that work around documented intrusions, ransom figures, and named victims.
The prosecution of Peter Stokes ties a named individual to a pattern prosecutors portray as a prolific, financially damaging campaign of intrusion and extortion. The complaint’s details—specific alleged breaches, named victims, and the techniques cited—will shape both technical defenses and legal strategies as courts and companies respond to the claims.
Source: BleepingComputer — Alleged Scattered Spider hacker extradited to the United States




