Summary
- Peter Stokes, a 19-year-old accused member of Scattered Spider, has been extradited from Finland to the United States to face charges related to conspiracy, cyber intrusion, and fraud.
- Prosecutors allege he participated in a breach of a luxury jewelry retailer in May 2025, demanding approximately $8 million in cryptocurrency, which the company declined to pay.
- The hacking group has been linked to more than 100 breaches and has reportedly extorted around $100 million in cryptocurrency ransoms.
Peter Stokes, a suspected member of the notorious hacking group Scattered Spider, was recently extradited from Finland to the United States to answer charges concerning an $8 million cryptocurrency ransom demand.
The 19-year-old, who holds dual citizenship in the U.S. and Estonia, appeared in a federal court in Chicago on Tuesday, facing accusations of conspiracy, cyber intrusion, and fraud, as stated by the Justice Department. He was apprehended by Finnish authorities in April under an Interpol Red Notice and was extradited last week, with a judge ordering him to be held until his trial.
Alleged Member of Criminal Cyber Hacking Group “Scattered Spider” Arrested in Finland and Extradited to United States @FBIChicago @DOJCrimDiv https://t.co/DWs2d9fns0
— U.S. Attorney’s Office (NDIL) (@NDILnews) July 1, 2026
The indictment revolves around a breach that occurred in May 2025 involving a luxury jewelry retailer, which remains unnamed. Stokes and his alleged accomplices reportedly deceived the company's IT help desk to reset employee two-factor authentication credentials, subsequently stealing data and demanding a ransom of approximately $8 million in cryptocurrency. The security team managed to remove them, and the company refused to pay the ransom, although it incurred losses of at least $2 million due to disruptions and cleanup efforts.
Expanding Investigations
Scattered Spider, also referred to as Octo Tempest, UNC3944, and 0ktapus, is a loose network of hackers accused of executing over 100 intrusions and amassing more than $100 million in ransom payments. Their methods focus on social engineering, as opposed to malware; members often impersonate staff during phone calls to help desks to extort cryptocurrency in exchange for access to or suppression of stolen information. This approach was notably used in 2023 attacks on MGM Resorts and Caesars Entertainment, with the latter reportedly paying around $15 million in ransom.
Stokes is among a growing number of individuals linked to the group who are facing legal action in the U.S. For instance, Tyler Buchanan, an alleged leader of the group, a 24-year-old from Scotland, pleaded guilty in April to a phishing operation that resulted in the theft of at least $8 million in cryptocurrency. Additionally, Noah Urban from Florida was sentenced to 10 years in prison after being linked to breaches affecting crypto exchange Crypto.com. The DOJ has also charged five other alleged group members in a separate 2024 crypto-phishing case.
Global Trends in Crypto Ransoms
The jewelry retailer's decision not to comply with the ransom demand reflects a broader trend in how organizations are responding to such threats. In 2025, ransomware groups extorted approximately $850 million in cryptocurrency, which remained steady compared to the previous year, despite a 44% increase in victim postings on leak sites, as reported by TRM Labs. Although the threat landscape has broadened due to easier access for criminals, TRM Labs noted that the overall volume associated with ransomware has decreased from about $1.9 billion in 2024 to around $1.3 billion, as victims are increasingly choosing not to pay their attackers.
