Alleged Scattered Spider member, 19, extradited to the US after airport arrest
Peter Stokes, a dual US-Estonian citizen picked up in Helsinki in April, is accused of helping the notorious hacking crew squeeze millions from big-name companies.

Key points
- Peter Stokes, 19, a dual US and Estonian citizen, has been extradited to the United States and appeared in federal court in Chicago this week.
- Finnish authorities arrested him at Helsinki airport on April 10, 2025, as he tried to board a flight to Japan.
- Prosecutors say he took part in at least four break-ins linked to the hacking group Scattered Spider, including one when he was 16.
- The US Department of Justice says Scattered Spider is tied to more than 100 network intrusions and over $100 million in ransom payments.
- Charges include fraud, conspiracy and computer intrusion.
A teenager accused of running with one of the most disruptive hacking crews of the past three years is now in a Chicago jail cell.
Peter Stokes is 19. He holds both US and Estonian citizenship, and online he went by "Bouquet," "Spencer," and "Jordan." Finnish police grabbed him at Helsinki airport in April as he tried to fly to Japan. This week, US prosecutors got their hands on him.
The case, first reported by BleepingComputer, accuses Stokes of being part of Scattered Spider — a loose group of mostly young English-speaking hackers that has tormented big companies since 2022. The Justice Department says the group is behind more than 100 break-ins and over $100 million in ransom payments.
How did the hackers actually get in?
Mostly by talking their way past the front desk. Scattered Spider is famous for social engineering, which is a fancy term for tricking humans over the phone or by text message.
Court papers describe one alleged job from May 2025 against an unnamed "luxury item retailer" worth billions. The hackers reportedly rang the company's IT helpdesk, pretended to be staff, and got the helpdesk to reset passwords. That gave them keys to powerful administrator accounts — the kind of accounts that can turn off security tools and open every door inside a network.
They demanded $8 million and claimed to be holding 100 gigabytes of stolen files. The retailer refused. It still spent more than $2 million cleaning up and dealing with disrupted operations.
Prosecutors say Stokes was involved in at least four such intrusions. One of them, a March 2023 hack of an online communication platform, happened when he was 16.
Who is Scattered Spider?
Security companies track the group under a pile of names: 0ktapus, Octo Tempest, Scatter Swine, UNC3944, Muddled Libra. Different label, same crew — teenagers and twenty-somethings, mostly from the US and the UK, coordinating over chat apps.
Their toolkit is less about clever code and more about wearing down people. They send floods of login approval prompts to a victim's phone until the tired employee taps "yes" — a trick known as MFA fatigue, where MFA means multi-factor authentication, the second step (usually a phone tap or code) that is supposed to stop stolen passwords from working on their own.
They also send fake login text messages, and prosecutors say they run Genymobile, an Android phone emulator, to make their fake logins look like they come from a normal handset. In some UK attacks they deployed DragonForce, a strain of ransomware — malicious software that scrambles a company's files until a payment is made.
The victim list reads like a tour of the modern economy. Caesars. MGM Resorts. Riot Games. DoorDash. Reddit. MailChimp. Twilio. Allianz Life. Transport for London. UK retailers Co-op, Marks & Spencer and Harrods. More recently, airline WestJet and carmaker Jaguar Land Rover.
What this means for ordinary people
If you shopped, flew or held an account with any of the named companies, treat unexpected password reset emails and "verify your identity" texts with suspicion. Type the company's address into your browser yourself rather than tapping links.
Stokes remains in custody. He faces fraud, conspiracy and computer intrusion charges. Scattered Spider, as a group, is still very much in business.



