Reddit: Alleged Scattered Spider hacker extradited to the United States

Reddit: Alleged Scattered Spider hacker extradited to the United States

U.S.-Estonian Teen Extradited in Scattered Spider Hacking Case

A 19-year-old dual U.S. and Estonian citizen, Peter Stokes known online as "Bouquet," "Spencer," and "Jordan" has been extradited to the U.S. to face charges tied to his alleged role in the Scattered Spider hacking collective. Stokes was arrested in Finland on April 10 after attempting to board a flight to Japan at Helsinki Airport.

Court documents accuse Stokes of participating in at least four major breaches, including a March 2023 attack on an online communication platform when he was just 16 years old. Among the victims was an unnamed multibillion-dollar luxury retailer, targeted in May 2025 through a social engineering scheme. Hackers posed as employees to trick the company’s IT helpdesk into resetting credentials, gaining access to administrator accounts. Though the group demanded an $8 million ransom claiming to have stolen 100GB of data the company refused to pay, incurring over $2 million in operational and remediation costs.

Stokes faces charges of fraud, conspiracy, and computer intrusion following his court appearance in Chicago on Tuesday. He remains in custody.

Scattered Spider, also tracked as 0ktapus, Octo Tempest, and UNC3944, is a loosely organized hacking group active since 2022, primarily composed of teenagers and young adults from the U.S. and U.K. The collective is notorious for social engineering, MFA bombing (MFA fatigue), and SMS phishing to steal credentials and deploy ransomware. Prosecutors allege they use tools like the Genymobile Android emulator and have deployed the DragonForce encryptor in attacks on U.K. retailers.

The group’s high-profile victims include Caesars, MGM Resorts, Riot Games, DoorDash, Reddit, MailChimp, Twilio, Allianz Life, Transport for London (TfL), Co-op, Marks & Spencer, Harrods, WestJet, and Jaguar Land Rover. According to the U.S. Department of Justice, Scattered Spider has been linked to over 100 network intrusions, resulting in more than $100 million in ransom payments and millions in additional damages. The FBI’s Cyber Division has highlighted the group’s disruptive impact on critical operations across multiple industries.

Source: https://www.bleepingcomputer.com/news/security/alleged-scattered-spider-hacker-extradited-to-the-united-states/

Reddit, Inc. cybersecurity rating report: https://www.rankiteo.com/company/reddit-com

"id": "RED1782988216",
"linkid": "reddit-com",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Luxury Retail',
                        'name': 'Unnamed multibillion-dollar luxury retailer',
                        'size': 'Multibillion-dollar',
                        'type': 'Retailer'},
                       {'industry': 'Communication',
                        'name': 'Online communication platform',
                        'type': 'Technology'},
                       {'industry': 'Gaming/Hospitality',
                        'name': 'Caesars',
                        'type': 'Entertainment'},
                       {'industry': 'Hospitality',
                        'name': 'MGM Resorts',
                        'type': 'Entertainment'},
                       {'industry': 'Gaming',
                        'name': 'Riot Games',
                        'type': 'Technology'},
                       {'industry': 'Food Delivery',
                        'name': 'DoorDash',
                        'type': 'Technology'},
                       {'industry': 'Social Media',
                        'name': 'Reddit',
                        'type': 'Technology'},
                       {'industry': 'Email Marketing',
                        'name': 'MailChimp',
                        'type': 'Technology'},
                       {'industry': 'Communications',
                        'name': 'Twilio',
                        'type': 'Technology'},
                       {'industry': 'Insurance',
                        'name': 'Allianz Life',
                        'type': 'Financial Services'},
                       {'industry': 'Transportation',
                        'location': 'UK',
                        'name': 'Transport for London (TfL)',
                        'type': 'Government'},
                       {'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Co-op',
                        'type': 'Retail'},
                       {'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Marks & Spencer',
                        'type': 'Retail'},
                       {'industry': 'Luxury Retail',
                        'location': 'UK',
                        'name': 'Harrods',
                        'type': 'Retail'},
                       {'industry': 'Aviation',
                        'name': 'WestJet',
                        'type': 'Transportation'},
                       {'industry': 'Automotive',
                        'location': 'UK',
                        'name': 'Jaguar Land Rover',
                        'type': 'Automotive'}],
 'attack_vector': ['social engineering',
                   'MFA bombing (MFA fatigue)',
                   'SMS phishing'],
 'data_breach': {'data_exfiltration': 'Yes (100GB claimed)'},
 'description': 'A 19-year-old dual U.S. and Estonian citizen, Peter Stokes, '
                "known online as 'Bouquet,' 'Spencer,' and 'Jordan,' has been "
                'extradited to the U.S. to face charges tied to his alleged '
                'role in the Scattered Spider hacking collective. Stokes was '
                'arrested in Finland on April 10 after attempting to board a '
                'flight to Japan at Helsinki Airport. He is accused of '
                'participating in at least four major breaches, including '
                'attacks on an online communication platform and a '
                'multibillion-dollar luxury retailer.',
 'impact': {'data_compromised': '100GB of data claimed to be stolen',
            'financial_loss': '$2 million (operational and remediation costs)',
            'operational_impact': 'Disruptive impact on critical operations'},
 'initial_access_broker': {'entry_point': 'Social engineering (IT helpdesk '
                                          'credential reset)',
                           'high_value_targets': 'Administrator accounts'},
 'investigation_status': 'Ongoing (Stokes in custody)',
 'motivation': ['financial gain', 'data exfiltration'],
 'post_incident_analysis': {'root_causes': ['Social engineering',
                                            'MFA fatigue',
                                            'Lack of employee training']},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransom_demanded': '$8 million',
                'ransom_paid': 'No',
                'ransomware_strain': 'DragonForce encryptor'},
 'references': [{'source': 'U.S. Department of Justice'},
                {'source': 'FBI Cyber Division'}],
 'regulatory_compliance': {'legal_actions': 'Fraud, conspiracy, and computer '
                                            'intrusion charges'},
 'response': {'law_enforcement_notified': 'Yes (FBI, U.S. Department of '
                                          'Justice)'},
 'threat_actor': 'Scattered Spider (0ktapus, Octo Tempest, UNC3944)',
 'title': 'U.S.-Estonian Teen Extradited in Scattered Spider Hacking Case',
 'type': ['ransomware', 'data breach', 'social engineering']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.