VYPR
breachPublished Jul 1, 2026· 1 source

Teen Suspect in Scattered Spider Hacks Extradited to U.S.

A 19-year-old dual citizen of the U.S. and Estonia, allegedly linked to the Scattered Spider cybercrime group, has been extradited from Finland to Chicago to face federal charges.

A 19-year-old man with dual U.S. and Estonian citizenship has been extradited from Finland to Chicago to face criminal charges for his alleged involvement in hacks as part of the Scattered Spider cybercrime group. Peter Stokes appeared in federal court in the Northern District of Illinois on Tuesday, where the Department of Justice announced the FBI's criminal complaint against him, which includes charges of conspiracy, cyber intrusion, and fraud.

The core of the complaint centers on a data breach that occurred around May 12, 2025, targeting an unnamed luxury jewelry retailer, referred to as Company F. According to the FBI, Stokes and potentially other Scattered Spider members stole data from the company and subsequently demanded an $8 million ransom in cryptocurrency. The attackers reportedly used a social engineering tactic, impersonating Company F employees to request password resets and multifactor authentication changes for three user accounts, including those of IT administrators with high-privilege access. This phishing technique allowed them to compromise these accounts within a few hours.

Scattered Spider, a loosely affiliated group of English-speaking threat actors, has been implicated in a range of illicit activities, including SMS phishing scams, breaches of U.S. casinos and a federal court system, and a significant network disruption affecting London's transport agency. The unsealed complaint also alleges that Stokes gained unauthorized access in March 2023 to the network of an online communication platform, designated as Company H.

Stokes, who allegedly operated under aliases such as "Bouquet," "Spencer," and "Jordan," was apprehended by Finnish authorities in April following an Interpol Red Notice. The Department of Justice confirmed his arrest, which had been previously reported by the Chicago Tribune. Following his court appearance, Stokes was remanded into law enforcement custody.

In the breach of the jewelry retailer, the FBI detailed how the suspects utilized Google Voice numbers to contact the IT help desk, initiating the password reset process. They then employed ngrok, a legitimate tool for developers to manage internet traffic, to establish persistent unauthorized access to the company's data center. This allowed them to exfiltrate sensitive data.

Although the jewelry retailer did not pay the $8 million ransom demand, the FBI estimates that the company incurred approximately $2 million in losses due to business disruption, investigation, and mitigation efforts, with further losses anticipated. The U.S. government estimates that Scattered Spider has been responsible for over 100 network intrusions and has collected more than $100 million in ransom payments.

This extradition highlights the ongoing international efforts to apprehend and prosecute individuals involved in sophisticated cybercrime operations. The case against Stokes is expected to shed further light on the methods and scope of Scattered Spider's activities.

Synthesized by Vypr AI