
Alleged Scattered Spider member Peter Stokes, 19, was extradited from Finland to the U.S. over hacking, fraud, and extortion charges.
Peter Stokes, 19, an alleged Scattered Spider member known online as “Bouquet,” has been extradited from Finland to the U.S. to face hacking, fraud, and extortion charges. Prosecutors say he took part in multiple cyberattacks, including a 2025 breach of a luxury jewelry retailer where attackers allegedly stole data and demanded about $8 million in cryptocurrency.
“Among other offenses, the complaint alleges that Stokes and other co-conspirators breached a luxury jewelry retailer’s computer system, exfiltrated data from the company, and made a ransom demand of approximately $8 million in cryptocurrency in May 2025.” reads the press release published by DoJ. “The retailer’s security personnel successfully evicted the threat actors from the company’s computer network and no ransom was paid. The retailer nonetheless suffered a loss of at least $2 million due to business disruption, investigation, and mitigation of the threat.”
He was arrested in Finland in April on an Interpol Red Notice.
U.S. officials said Scattered Spider (aka Octo Tempest, UNC3944, and 0ktapus) has caused major disruption by targeting American companies, stealing data, encrypting systems, and demanding cryptocurrency payments. The FBI warned the group has cost businesses millions of dollars and disrupted critical operations. Authorities pledged to continue working with international partners to identify, disrupt, and prosecute members of the group, regardless of where they operate.
The cybercrime group is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.
Scattered Spider members are part of a broader cybercriminal community called “The Com,” where hackers brag about high-profile cyber thefts, typically initiated through social engineering tactics like phone, email, or SMS scams to gain access to corporate networks.
“The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100 million in ransom payments and millions more in damages to the victims,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “The charges unsealed today are the result of years of work by the Criminal Division, the U.S. Attorney’s Office for the Northern District of Illinois, and the FBI. We will continue to partner to ensure that cybercriminals cannot evade the reach of the United States.”
The case is part of the FBI’s Operation Riptide, a long-term effort to disrupt cybercriminals, their infrastructure, and financial networks. Americans reported more than $20 billion in cybercrime losses last year, up 26% from the previous year.
In April 2026, Tyler Buchanan, a 24-year-old from Scotland, also linked to the Scattered Spider group, admitted in a US court that he hacked dozens of companies, committed fraud, and stole millions in cryptocurrency. Spanish police arrested the British national in Palma de Mallorca while attempting to fly to Italy. During the arrest, police confiscated a laptop and a mobile phone. The arrest resulted from a joint operation conducted by the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.
In April 2025, Noah Urban, 20, linked to Scattered Spider (UNC3944), pleaded guilty in Florida and California to conspiracy, wire fraud, and identity theft. He admitted involvement in phishing and fraud operations, including stealing at least $800,000 in crypto from victims between Aug 2022 and Mar 2023. He also helped export stolen data and run multi-state cybercrime activities tied to the group.
In November 2025, two British teenagers, Thalha Jubair (19) and Owen Flowers (18), accused of links to Scattered Spider, pleaded not guilty in Southwark Crown Court to charges under the Computer Misuse Act. They are alleged to have conspired in a cyberattack against Transport for London (TfL) in 2024. Both were arrested in September by the NCA and formally denied the accusations in court.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)



