
A 19-year-old man with dual U.S. and Estonian citizenship was extradited from Finland to Chicago this week to face criminal charges of participating in hacks as part of the Scattered Spider cybercrime group.
Peter Stokes made an initial appearance on Tuesday in federal court in the Northern District of Illinois, the Department of Justice said. The FBI’s criminal complaint accuses him of conspiracy, cyber intrusion and fraud.
The centerpiece of the complaint is a data breach of an unspecified “luxury-jewelry retailer” — referred to as Company F — on or around May 12, 2025. The FBI alleges that Stokes and possibly other Scattered Spider members stole data from the company and then demanded an $8 million ransom in cryptocurrency.
“The threat actors pretended to be Company F employee-users and requested a reset of their authentication credentials, including the password and mobile device for multifactor authentication,” the complaint says. “Using this phishing technique, the threat actors compromised three Company F user accounts within approximately two to three hours,” including two belonging to IT administrators with access to “high-privilege” accounts.
Alleged members of the loosely affiliated, English-speaking Scattered Spider group have been accused or convicted in scam operations using SMS phishing; breaches of U.S. casinos and a federal court system; and a major network disruption at London’s transport agency.
The complaint unsealed this week also accuses Stokes of gaining unauthorized access in March 2023 to the network of an “online-communication platform” labeled as Company H.
Stokes, who allegedly used the aliases “Bouquet,” “Spencer” and “Jordan,” was arrested by Finnish authorities in April, the Department of Justice said, following an Interpol Red Notice. The Chicago Tribune reported Stokes’ arrest earlier this spring.
After Tuesday’s court appearance, Stokes remained in law enforcement custody.
Social engineering
In the breach of the jewelry retailer, the FBI says the suspects used Google Voice numbers to call the IT help desk, request the password resets, and then later access the higher-level accounts.
As part of the criminal operation, the suspects then used ngrok — a legitimate tool that app developers use to manage internet traffic — to enable “persistent unauthorized access” to the company’s data center, the complaint says.
The company did not pay the $8 million ransom, according to the FBI, but “losses due to business disruption, investigation, and mitigation were approximately $2 million, and further losses were expected.”
The U.S. government estimates that Scattered Spider has been involved with more than 100 network intrusions and collected more than $100 million in ransom payments.
Recorded Future
Intelligence Cloud.
