Mon 06 Jul 2026 / 14:18 ET
Kernel
Security 3 min read

Accused Scattered Spider member extradited to Chicago from Finland

Peter Stokes, 19, faces U.S. charges tied to alleged social-engineering hacks, including a 2025 jewelry retailer breach and $8 million ransom demand.

Mara Chen-Doyle

By Mara Chen-Doyle / Staff Writer

Accused Scattered Spider member extradited to Chicago from Finland
img: The Record

A 19-year-old accused of taking part in Scattered Spider hacking operations has been extradited from Finland to Chicago, where federal prosecutors say he helped break into company networks using help-desk social engineering.

Peter Stokes, a dual citizen of the United States and Estonia, appeared Tuesday in the U.S. District Court for the Northern District of Illinois, the Department of Justice said. An FBI criminal complaint charges him with conspiracy, computer intrusion and fraud.

Stokes was arrested in Finland in April after an Interpol Red Notice, according to the Justice Department. The Chicago Tribune reported his arrest earlier this spring. After his first court appearance in Chicago, Stokes remained in law enforcement custody.

FBI says help-desk resets opened the door

The main incident described in the FBI complaint is a May 12, 2025 breach of an unnamed luxury jewelry retailer, identified in court papers as Company F. Investigators allege Stokes and possibly other members of Scattered Spider stole company data and then demanded $8 million in cryptocurrency.

According to the complaint, the attackers posed as employees and contacted the retailer’s IT help desk to reset authentication credentials. That included passwords and the mobile devices used for multifactor authentication. The FBI says the attackers used Google Voice numbers for those calls.

The alleged method is familiar and depressingly effective: convince the help desk that the caller is a legitimate employee, get the account recovery process to bless a device the attackers control, then use the newly reset credentials to enter the network. The complaint says three user accounts were compromised in about two to three hours, including two accounts belonging to IT administrators with elevated access.

The FBI also says the attackers used ngrok, a legitimate tunneling tool often used by developers to route internet traffic, to maintain unauthorized access to the company’s data center. The tool is not malware by itself. In the wrong hands, it can give intruders a convenient path back into an internal environment.

The retailer did not pay the $8 million demand, according to the FBI. Investigators estimated losses from disruption, investigation and remediation at about $2 million, with more losses expected.

Broader Scattered Spider allegations

The complaint says Stokes used the aliases “Bouquet,” “Spencer” and “Jordan.” It also accuses him of unauthorized access in March 2023 to the network of an unnamed online communications platform, listed as Company H.

U.S. officials describe Scattered Spider as a loosely organized, English-speaking cybercrime group. Alleged members and affiliates have been accused or convicted in cases involving SMS phishing, casino intrusions, a federal court system breach and a disruption at London’s transport agency.

The U.S. government estimates Scattered Spider has been linked to more than 100 network intrusions and more than $100 million in ransom payments. Those figures are government estimates, not findings from Stokes’ case.

The Justice Department’s announcement and the FBI complaint present the allegations against Stokes. He has not been convicted in the Chicago case.

This story draws on original reporting from The Record.

More Security/

view all ↗