Alleged Scattered Spider Member Extradited to U.S. on Hacking Charges
A 19-year-old with dual U.S. and Estonian citizenship has been extradited from Finland to face federal charges in Chicago. **Peter Stokes** is accused of participating in the notorious cybercrime group **Scattered Spider**, known for its sophisticated social engineering tactics and high-profile breaches. The indictment highlights a significant data breach targeting a luxury-jewelry retailer and an online communication platform.
This week, **Peter Stokes**, a 19-year-old with dual U.S. and Estonian citizenship, made an initial appearance in federal court in the Northern District of Illinois after being extradited from Finland. The Department of Justice announced that Stokes faces charges of conspiracy, cyber intrusion, and fraud, stemming from his alleged involvement with the cybercrime group **Scattered Spider**.
### The Luxury-Jewelry Retailer Breach
The core of the criminal complaint details a data breach of an unnamed "luxury-jewelry retailer," referred to as **Company F**, which occurred around May 12, 2025. The FBI alleges that Stokes, potentially with other **Scattered Spider** members, exfiltrated data from the company and subsequently demanded an $8 million ransom in cryptocurrency.
According to the complaint, the threat actors employed a sophisticated phishing technique. They impersonated **Company F** employees, requesting password and multi-factor authentication (MFA) resets. Within approximately two to three hours, this method compromised three user accounts, including two belonging to IT administrators with access to high-privilege systems.
### Scattered Spider's Modus Operandi
**Scattered Spider**, a loosely affiliated, English-speaking group, has been linked to numerous high-profile cyberattacks. Their methods often involve **SMS phishing** (smishing) and other social engineering tactics. Past accusations and convictions against alleged members include breaches of U.S. casinos, a federal court system, and a major network disruption at London's transport agency.
Stokes is also accused of unauthorized access to the network of an "online-communication platform," designated as **Company H**, in March 2023. He allegedly used aliases such as "Bouquet," "Spencer," and "Jordan."
### Arrest and Extradition
Stokes was arrested by Finnish authorities in April following an **Interpol Red Notice**. His extradition marks a significant development in the ongoing efforts to apprehend members of sophisticated cybercrime organizations.
### Social Engineering and Technical Tools
In the breach of the jewelry retailer, the FBI states that the suspects utilized **Google Voice** numbers to contact the IT help desk, initiating the password reset requests. Subsequently, they gained access to higher-level accounts.
The criminal operation further leveraged **ngrok**, a legitimate tool used by app developers for managing internet traffic, to establish "persistent unauthorized access" to **Company F's** data center.
Although **Company F** did not pay the $8 million ransom, the incident resulted in approximately $2 million in losses due to business disruption, investigation, and mitigation efforts, with further losses anticipated.
U.S. government estimates suggest that **Scattered Spider** has been involved in over 100 network intrusions, accumulating more than $100 million in ransom payments.