US Charges Alleged Scattered Spider Member Arrested in Finland
U.S. prosecutors have charged 19-year-old dual U.S.-Estonian citizen Peter Stokes, allegedly a member of the Scattered Spider cybercrime group who used the alias Bouquet, after his arrest in Finland on April 10. According to reports citing court records, Stokes was detained while allegedly attempting to board a flight to Tokyo and now faces wire fraud, conspiracy, and computer intrusion charges in a sealed six-count complaint, with U.S. authorities seeking his extradition to Chicago. Investigators allege he took part in at least four intrusions, including a 2023 breach of an online communications platform and other attacks carried out while he was still a teenager.
The complaint links Stokes to Scattered Spider operations that relied on help-desk social engineering, credential resets, MFA fatigue, and SMS phishing to gain access to major corporate environments. One 2025 intrusion described in the filings allegedly targeted a multibillion-dollar luxury retailer, where attackers obtained administrator access, claimed to have stolen 100 GB of data, and issued an $8 million extortion demand, causing more than $2 million in losses. The case adds to broader law-enforcement pressure on the financially motivated group, also tracked as Octo Tempest, which has been tied to intrusions affecting MGM Resorts, Caesars, Twilio, Reddit, Riot Games, Mailchimp, DoorDash, Harrods, Marks & Spencer, WestJet, and Jaguar Land Rover.
Timeline
Apr 28, 2026
Alleged Scattered Spider leader Tyler Buchanan pleads guilty in U.S.
The reporting notes that Tyler Robert Buchanan, described as an alleged Scattered Spider leader, recently pleaded guilty in the United States to wire fraud and aggravated identity theft charges.
Apr 28, 2026
U.S. prosecutors charge arrested suspect and seek extradition
Following the Finland arrest, U.S. prosecutors charged Stokes in connection with alleged Scattered Spider intrusions and moved to extradite him to Chicago on wire fraud, conspiracy, and computer intrusion counts.
Apr 10, 2026
Finnish authorities arrest alleged Scattered Spider member Peter Stokes
Peter Stokes, a 19-year-old dual U.S.-Estonian citizen, was arrested in Finland on April 10, 2026, reportedly while attempting to board a flight to Tokyo.
Dec 1, 2025
U.S. files sealed criminal complaint against Peter Stokes
A sealed six-count U.S. complaint was filed in December charging Peter Stokes with wire fraud, conspiracy, and computer intrusion offenses tied to alleged Scattered Spider activity.
Jan 1, 2025
Luxury retailer breached and hit with $8 million extortion demand
In 2025, investigators say Stokes helped compromise an unnamed multibillion-dollar luxury retailer by socially engineering the help desk to reset credentials, gaining administrator access. The attackers allegedly claimed to have stolen 100 GB of data and demanded $8 million, with the victim suffering more than $2 million in losses.
Mar 1, 2023
Alleged 'Bouquet' participates in a communications platform breach
Court records allege the suspect later identified as Peter Stokes, using the alias "Bouquet," took part in a March 2023 intrusion against an online communications platform while he was 16.
Jan 1, 2022
Scattered Spider emerges as a social-engineering-focused cybercrime group
The financially motivated group known as Scattered Spider, also tracked as Octo Tempest, became active in 2022 and began targeting major companies using tactics such as help-desk impersonation, MFA fatigue, and SMS phishing.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Scattered Spider Member Pleads Guilty in $8 Million SMS Phishing and Crypto Theft Scheme
Tyler Robert Buchanan, a 24-year-old British national from Dundee, Scotland, pleaded guilty in U.S. federal court in California to **conspiracy to commit wire fraud** and **aggravated identity theft** for his role in Scattered Spider’s large-scale social-engineering operation. Prosecutors said Buchanan and co-conspirators ran SMS phishing campaigns from September 2021 to April 2023 that impersonated corporate IT help desks and labor providers, used fake login pages and stolen credentials, and carried out SIM swapping to breach companies and individuals. The Justice Department said the scheme stole at least **$8 million in virtual currency** from U.S. victims across telecommunications, technology, cloud communications, outsourcing, gaming, and cryptocurrency sectors. Investigators tied Buchanan to the 2022 **0ktapus** campaign, which used fake Okta login pages to compromise more than 130 organizations, including **Twilio** and **Cloudflare**, and enabled downstream attacks affecting other major brands. Authorities said stolen credentials were funneled into a Telegram channel administered by Buchanan and an associate, and searches of his residence in Scotland uncovered victim company files, personal data, and roughly 20 devices. Buchanan was arrested in Palma de Mallorca by Spanish authorities, extradited to the United States, and has been in federal custody since April 2025; he now faces up to 22 years in prison, underscoring continued law-enforcement pressure on the loosely organized Scattered Spider group, an offshoot of **The Com**.
1 weeks ago
Scattered Spider-Linked Teenagers Plead Not Guilty to Transport for London Cyberattack
Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded not guilty to charges stemming from a cyberattack on Transport for London (TfL) in August 2024. The attack, attributed to the Scattered Spider hacking collective, caused significant disruption to TfL's online services and internal systems, impacting the agency's ability to process refunds and initially believed not to have compromised customer data. However, a later update from TfL confirmed that customer information, including names, addresses, and contact details, was exposed during the breach. Both suspects were arrested by the UK National Crime Agency and City of London Police, and the charges they face are among the most severe under English law for cyber offenses, carrying a maximum sentence of life imprisonment. In addition to the TfL incident, Owen Flowers faces further charges for allegedly conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States, while Thalha Jubair is also charged with refusing to provide device passcodes to investigators. The U.S. Department of Justice has unsealed a complaint against Jubair for related computer crimes. The case highlights the international scope of the investigation and the serious legal consequences for those accused of high-impact cyberattacks targeting critical infrastructure and healthcare organizations.
1 months ago
Cordial Spider and Snarky Spider hit U.S. sectors with identity-driven extortion
CrowdStrike says two financially motivated threat groups tied to **The Com** — **Cordial Spider** and **Snarky Spider** — are conducting rapid data-theft and extortion campaigns against U.S.-based organizations across critical infrastructure and commercial sectors, including aviation, retail, hospitality, automotive, financial services, legal, academic, and technology. The actors are described as closely aligned with **Scattered Spider** and linked to other The Com subsets such as **SLSH** and **ShinyHunters**, with operations observed since at least October 2025 and ransom demands in some cases reaching seven figures. The groups rely on voice phishing, text messages, emails, and other social-engineering tactics to compromise identity platforms and move through victims’ SaaS environments. Researchers said the attackers use phishing pages that mimic legitimate single sign-on and identity provider portals to steal credentials, session keys, and tokens, then register their own MFA devices, disable MFA, suppress or delete alerts, and expand access across connected services. CrowdStrike also identified differences in the crews’ tradecraft, including operating hours, phishing infrastructure, leak sites, preferred operating systems, and MFA-registration methods, while noting their use of residential proxy services such as **Mullvad**, **Oxylabs**, **NetNut**, **9Proxy**, **Infatica**, and **NSOCKS** to evade detection; some victims were additionally subjected to **DDoS attacks** or **swatting**.
Yesterday