Alleged Scattered Spider Member Extradited to U.S. on Hacking Charges
A dual U.S. and Estonian citizen, 19-year-old **Peter Stokes**, has been extradited to the United States to face charges as an alleged member of the notorious **Scattered Spider** hacking collective. Accused of extorting millions from high-profile companies, Stokes' arrest highlights the ongoing global effort to dismantle sophisticated cybercriminal operations.

**Peter Stokes**, known by online handles such as "Bouquet," "Spencer," and "Jordan," was apprehended in Finland on April 10 while attempting to board a flight to Japan. He now faces charges of fraud, conspiracy, and computer intrusion in the U.S.
### Involvement in High-Profile Breaches
According to court documents, Stokes was allegedly involved in at least four **Scattered Spider** breaches. These incidents, which began when he was just 16 years old, resulted in demands for millions of dollars in ransoms from victim companies.
One notable case cited involved an unnamed multibillion-dollar "luxury item retailer" in May 2025. Hackers, reportedly including Stokes, gained access by impersonating employees and socially engineering the company's IT helpdesk to reset administrator credentials. While an $8 million ransom demand was refused, the company still incurred over $2 million in operational disruptions and remediation costs.

_Peter Stokes (U.S. Department of Justice)_
### The Reach of Scattered Spider
Assistant Attorney General **A. Tysen Duva** stated, "The criminal complaint charges **Peter Stokes** with membership in **Scattered Spider**, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100 million in ransom payments and millions more in damages to the victims." Assistant Director **Brett Leatherman** of the FBI's Cyber Division further emphasized the group's impact, noting their repeated targeting of U.S. companies, employee extortion, significant financial losses, and disruption of essential operations.
Also tracked as **0ktapus**, **Octo Tempest**, **Scatter Swine**, **UNC3944**, and **Muddled Libra**, **Scattered Spider** emerged in 2022. This loosely knit collective primarily consists of teenagers and young adults from the United States and Great Britain.
### Modus Operandi
**Scattered Spider** is renowned for its blend of sophisticated social engineering tactics, including targeted multi-factor authentication (MFA) bombing (also known as MFA fatigue) and SMS credential phishing attacks. Their objective is to steal user credentials and sensitive documents for extortion after breaching target networks.
Prosecutors indicate that the group commonly utilizes the **Genymobile** Android emulator during their MFA attacks and has deployed the **DragonForce** encryptor in ransomware attacks, particularly against UK retail companies.
### A Long List of Victims
The collective's victim list is extensive and includes a roster of high-profile organizations. Among them are **Caesars**, **MGM Resorts**, **Riot Games**, **DoorDash**, **Reddit**, **MailChimp**, **Twilio**, **Allianz Life**, **Transport for London (TfL)**, and several UK retailers such as **Co-op**, **Marks & Spencer (M&S)**, and **Harrods**. More recently, **WestJet** and **Jaguar Land Rover (JLR)** have also fallen victim to their operations.