Alleged Scattered Spider Hacker Extradited to the United States
What happened
A dual U.S. and Estonian citizen accused of being a member of the Scattered Spider hacking collective has been extradited to the United States. Peter Stokes, 19, was arrested in Finland on April 10 while attempting to board a flight to Japan at Helsinki’s airport. He used the online handles “Bouquet,” “Spencer,” and “Jordan.”
U.S. prosecutors allege that Stokes helped extort millions of dollars from multiple high-profile companies worldwide.
Court documents say Stokes was involved in at least four Scattered Spider breaches. One of those incidents involved a March 2023 hack of an online communication platform, when Stokes was 16 years old.
The list of alleged victims also includes an unnamed multibillion-dollar luxury item retailer that was breached in May 2025. In that incident, the attackers allegedly called the company’s IT help desk while posing as employees, reset credentials, and gained access to administrator accounts.
The attackers demanded an $8 million ransom and claimed to have stolen 100 gigabytes of data. The company refused to pay, but still incurred more than $2 million in operational disruption and remediation costs.
Stokes now faces charges of fraud, conspiracy, and computer intrusion. He remained in custody after appearing in federal court in Chicago.
The Justice Department said Scattered Spider has been involved in more than 100 network intrusions, resulting in more than $100 million in ransom payments and millions more in victim damages.
Scattered Spider is also tracked as 0ktapus, Octo Tempest, Scatter Swine, UNC3944, and Muddled Libra. The group emerged in 2022 as a loosely organized hacking collective largely composed of teenagers and young adults from the United States and Great Britain.
The group is known for social engineering, targeted MFA bombing, SMS credential phishing, and other identity-focused tactics used to steal credentials and sensitive data for extortion.
Who is affected
High-profile companies targeted by Scattered Spider are directly affected, including organizations whose employees, help desks, and identity systems were manipulated through social engineering.
The case is especially relevant to companies with large support operations, distributed workforces, privileged help desk workflows, and systems that allow password resets or MFA changes through human approval.
Organizations in sectors previously targeted by Scattered Spider should pay attention, including gaming, hospitality, retail, technology, transportation, insurance, and other large enterprises.
Employees are also affected because Scattered Spider’s tactics often involve impersonation, harassment, MFA fatigue, and pressure against help desk or support staff.
Why CISOs should care
This case reinforces that Scattered Spider’s strength is not only technical exploitation. The group repeatedly targets identity workflows, support desks, employee trust, and MFA processes to gain access.
For CISOs, the alleged luxury retailer breach is a clear warning. Attackers reportedly gained administrator access by calling the IT help desk and impersonating employees. That turns support procedures into a critical security control.
The scale of alleged Scattered Spider activity is also significant. Prosecutors linked the group to more than 100 intrusions and over $100 million in ransom payments, showing that social engineering-driven intrusion can create enterprise-level financial damage.
The extradition also shows that law enforcement pressure is increasing, but organizations should not treat arrests as risk reduction. Scattered Spider is loosely organized, and similar tactics can continue through affiliates, copycats, or remaining members.
3 practical actions
Harden help desk identity verification: The alleged retailer breach involved attackers calling the help desk to reset credentials and gain administrator access. CISOs should require strong identity proofing, callback procedures, manager verification, and controls for privileged reset requests.
Defend against MFA fatigue and social engineering: Scattered Spider is known for targeted MFA bombing and SMS credential phishing. Security teams should deploy phishing-resistant MFA, number matching, impossible travel detection, and alerts for repeated MFA prompts or unusual reset activity.
Prepare incident response for identity-led intrusions: Scattered Spider attacks often begin with compromised credentials and support workflow abuse. Organizations should plan for rapid session revocation, credential resets, privileged account review, help desk lockdown, and investigation of identity provider logs.
Read more about recent malware campaigns using different attack methods, from abused web platforms and banking trojans to SEO-poisoned software sites:


