19-Year-Old 'Scattered Spider' Member Brought to US in $8M Cryptocurrency Extortion Case

19-Year-Old 'Scattered Spider' Member Brought to US in $8M Cryptocurrency Extortion Case

Authorities have brought charges against 19-year-old Peter Stokes in the United States for his purported involvement in a hacking collective's failed attempt to extort $8 million in cryptocurrency.

Authorities have extradited a teenage individual believed to be connected with the notorious "Scattered Spider" cybercriminal organization to the United States to face allegations concerning his participation in an $8 million cryptocurrency extortion attempt.

On Wednesday, the US Justice Department announced that Peter Stokes, who holds dual citizenship in the United States and Estonia and is 19 years old, had been taken into custody in Finland during April following an Interpol Red Notice. He was subsequently transferred to the United States the previous week and made his initial appearance before a federal court in Chicago on Tuesday.

The criminal complaint that was made public during the court proceedings alleges that Stokes, working alongside accomplices, infiltrated the computer infrastructure of a high-end jewelry retail company in May 2025, extracting sensitive information and subsequently demanding a cryptocurrency ransom payment totaling $8 million. According to the complaint, the retail company successfully removed the intruders from their network infrastructure and refused to submit the ransom payment, though they incurred approximately $2 million in damages related to business disruption.

Stokes represents one of the limited number of apprehensions that law enforcement agencies have successfully connected to Scattered Spider, a group known for frequently demanding crypto ransoms. During the previous year, ransomware threat actors collected over $820 million in ransom payments, representing an 8% decrease compared to 2024, despite the fact that the number of attacks increased by 50%.

FBI image from Stokes' Snapchat account
A photograph obtained by the FBI from Stokes' Snapchat profile depicts him displaying a necklace bearing the phrase "Hack the Planet," which originates from the 1995 cult classic movie "Hackers." Source: US Department of Justice

Alleged hack started with phishing call

The complaint details that the intrusion targeting the jewelry retail business commenced with multiple phishing telephone calls placed to the organization's technology support helpdesk, during which Stokes and his co-conspirators allegedly impersonated legitimate employees seeking password and login credential resets.

Law enforcement officials allege that the cybercriminals successfully gained unauthorized access to three employee accounts within a remarkably brief period of just two hours, with two of these compromised accounts belonging to information technology administrators at the company, granting them access to elevated-privilege accounts that were subsequently breached and exploited to penetrate the organization's computer systems.

Following several days of unauthorized access, Stokes and his alleged accomplices transmitted a ransom message utilizing a compromised corporate email account to extort payment under the threat of releasing sensitive credit card and customer payment data to the public.

Nevertheless, according to the complaint, the targeted organization successfully defended against and eliminated the security breach, after which the attackers made separate contact with the company to issue demands for $8 million in ransom payments, which the organization declined to fulfill.

Stokes allegedly involved in "numerous intrusions"

The legal complaint identifies Stokes, who operates under the digital aliases "Bouquet" and "Jordan," as a "Scattered Spider member who has engaged in numerous intrusions, or assisted in them" targeting several companies whose identities remain undisclosed.

Law enforcement agencies assert that forensic examination of a storage device purportedly associated with Stokes revealed that it held downloaded data from a virtual private server that Microsoft had previously identified as infrastructure utilized for executing intrusions against corporate targets.

The complaint further alleges that the device also "contained exfiltrated records from multiple victim-companies."

According to the complaint, Stokes' Snapchat profile demonstrates "substantial wealth for a person his age" and alleges that he utilized the social media platform to flaunt "about his international travel and wealth, and sent media regarding apprehended Scattered Spider members."

The Justice Department stated that Scattered Spider, which also operates under the alternate designations "Octo Tempest," "UNC3944," and "0ktapus," has been implicated in exceeding 100 network breaches, generating more than $100 million in extortion payments and inflicting millions of additional dollars in associated damages.

Stokes faces six separate criminal counts covering offenses related to computer hacking, cyber extortion, fraud and criminal conspiracy.