Scattered Spider suspect extradited to US over $8M crypto ransom demand
A 19-year-old linked to the notorious hacking group faces federal charges in Chicago after being flown in from Finland, with prosecutors tying the crew to over $100 million in total ransom payments.
Peter Stokes, a 19-year-old dual citizen of the US and Estonia, landed in a Chicago federal courtroom on June 30, 2026, after being extradited from Finland. He was promptly ordered detained.
The Department of Justice unsealed charges against Stokes on July 1, accusing him of involvement with Scattered Spider, a loosely organized cybercrime collective that has become one of the most prolific hacking groups in recent memory. The specific charge centers on a May 2025 breach of an unnamed luxury jewelry retailer, during which attackers stole data and demanded $8 million in cryptocurrency.
The jeweler didn’t pay. It still suffered at least $2 million in damages from the disruption, investigation, and cleanup.
A teenager with two terabytes
Stokes was arrested in Finland in April 2026 under an Interpol Red Notice. Finnish law enforcement seized two 2TB hard drives from him at Helsinki airport, a detail that gives some sense of the scale of data potentially tied to these operations.
Prosecutors allege Stokes has been involved in intrusions dating back to when he was 16 years old. That timeline would place his earliest suspected activity around 2023, right in the middle of Scattered Spider’s most aggressive period.
The group, also tracked under names like UNC3944, Octo Tempest, and 0ktapus, has been blamed for more than 100 network intrusions. Collectively, those attacks have resulted in over $100 million in ransom payments and extensive collateral damage to the targeted organizations.
The Scattered Spider playbook
Scattered Spider’s signature methods typically involve vishing (voice phishing), where attackers call employees and impersonate IT staff or other trusted parties to trick them into handing over credentials. Once inside a network, the group moves laterally, exfiltrating data and setting up leverage for ransom demands paid in crypto.
The group’s most high-profile victims include MGM Resorts and Caesars Entertainment, both hit in 2023. Caesars reportedly paid $15 million to resolve its attack, while MGM chose not to pay and absorbed over $100 million in losses.
A broader crackdown taking shape
Stokes isn’t the first Scattered Spider member to face consequences. Multiple arrests and guilty pleas from other group members have occurred throughout 2025 and 2026, part of what appears to be a sustained, coordinated law enforcement campaign against the collective.
The Interpol Red Notice and cross-border extradition process in Stokes’ case illustrate just how much international cooperation is required to bring these cases to trial. Finnish authorities handled the initial arrest and evidence seizure, while US prosecutors built the federal case in Chicago.