Scattered Spider Hacker Extradited to U.S. in Cybercrime Case

www.news4hackers.com-scattered-spider-hacker-extradited-to-u-s-in-cybercrime-case-scattered-spider-hacker-extradited-to-u-s-in-cybercrime-case

A dual United States and Estonian citizen has been transferred to the U.S. to face allegations of involvement with the Scattered Spider hacking group.

Extradition

The individual, identified as 19-year-old Peter Stokes, who operated under online aliases including “Bouquet,” “Spencer,” and “Jordan,” was detained in Finland on April 10 while attempting to board a flight to Japan at Helsinki Airport.

Individual Details

Stokes is accused of participating in ransomware operations targeting numerous high-profile organizations globally. Court records indicate Stokes was implicated in at least four Scattered Spider attacks, including a 2023 breach of an online communication platform when he was 16.

Attacks

The group’s activities resulted in victims paying millions in ransoms. Another incident involved an unnamed multibillion-dollar luxury retailer in May 2025, where attackers reportedly contacted the company’s IT helpdesk, impersonating employees to reset credentials and access administrative accounts.

Legal Charges

Stokes faces charges of fraud, conspiracy, and computer intrusion. He appeared in federal court in Chicago on Tuesday and remains in custody. A statement from the U.S. Department of Justice highlighted that the complaint alleges Stokes’ membership in Scattered Spider, a group linked to more than 100 network intrusions and over $100 million in ransom payments.

Group Background

Scattered Spider, also known by alternate designations such as 0ktapus and UNC3944, emerged in 2022 as a decentralized collective primarily composed of young individuals from the U.S. and United Kingdom.

Tactics

The group employs tactics like social engineering, multi-factor authentication (MFA) fatigue, and SMS-based credential phishing to compromise systems. Prosecutors noted the use of the Genymobile Android emulator during MFA attacks and the deployment of DragonForce ransomware in assaults on UK retail firms.

Victims

  • Caesars
  • MGM Resorts
  • Riot Games
  • DoorDash
  • MailChimp
  • Twilio
  • Allianz Life
  • Transport for London
  • Co-op
  • Marks & Spencer
  • Harrods
  • WestJet
  • Jaguar Land Rover

Security Stats

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper



About Author

en_USEnglish