Scattered Spider Suspect, 19, Extradited From Finland to Chicago

Peter Stokes, a dual U.S.-Estonian citizen, faces conspiracy, intrusion and fraud charges tied to the loose-knit crew behind a string of high-profile enterprise breaches.

ThreatVectr Newsdesk· 2 min read
Scattered Spider Suspect, 19, Extradited From Finland to Chicago
Share

A 19-year-old accused of running with Scattered Spider is now in U.S. custody, extradited from Finland to face charges in Chicago federal court.

Peter Stokes, a dual U.S. and Estonian citizen, was ordered detained on June 30 following his first appearance. The Justice Department confirmed the extradition on July 1. He faces counts of conspiracy, computer intrusion and wire fraud.

Scattered Spider — tracked variously as UNC3944, Octo Tempest and 0ktapus — isn't a formal ransomware crew in the RaaS mould. It's a loose, English-speaking collective, heavy on Western teenagers, known for aggressive social engineering: SIM swaps, help-desk impersonation, MFA fatigue. Members have partnered with ALPHV/BlackCat and, more recently, RansomHub and DragonForce to monetise access through encryption and extortion.

The group's résumé is expensive. The September 2023 intrusions at MGM Resorts and Caesars Entertainment are the marquee cases. Caesars paid a reported $15 million ransom. MGM refused and later disclosed roughly $100 million in operational impact. Insurers, retailers and telecoms have all featured on the target list since.

Stokes is the latest in a slow-drip series of arrests. U.K. authorities detained a suspected member in Spain last year. Florida charged Noah Urban, who later pleaded guilty. Five others were indicted in California in late 2024 on charges tied to phishing campaigns against telecom and crypto firms.

What's notable about the Finnish handover is the speed. Extradition from EU states on cybercrime charges typically runs 12 to 24 months. Court records don't yet detail which specific intrusions Stokes is alleged to have participated in, or what role — access broker, phisher, on-keyboard operator — prosecutors will attribute to him.

The indictment, unsealed in the Northern District of Illinois, isn't public in full. A detention memo cited flight risk and the transnational nature of the alleged conduct. Stokes did not enter a plea at the initial appearance.

For defenders, the arrests don't change the threat model much. Scattered Spider's tradecraft has always been human-layer: convincing a service desk to reset an MFA token, phishing an Okta credential, pivoting from identity into cloud. Those techniques don't require the arrested individuals. The playbook has already been copied by adjacent crews, and the group's Telegram-native recruiting pipeline keeps refilling the bench.

Prosecutors have signalled more indictments are likely. Stokes' next hearing is scheduled in Chicago, where he remains in federal custody pending arraignment. If convicted on the top counts, he faces a statutory maximum north of 20 years — though sentencing for cooperators in prior Scattered Spider cases has trended lower.

The FBI's Chicago field office is leading the investigation, with assistance from Finland's National Bureau of Investigation.

© 2026 Threat Vectr