Peter Stokes, a 19-year-old alleged member of the Scattered Spider cybercrime group, was extradited from Finland to the United States last week to face federal charges in Chicago, according t
Peter Stokes, a 19-year-old alleged member of the Scattered Spider cybercrime group, was extradited from Finland to the United States last week to face federal charges in Chicago, according to the Department of Justice. Stokes arrived in the Northern District of Illinois following his arrest in Finland in April pursuant to an Interpol Red Notice. He made an initial court appearance on June 30 and remains in custody. Prosecutors charge him with conspiracy, computer intrusion, and fraud in connection with multiple intrusions attributed to the group.
Scattered Spider, also tracked as Octo Tempest, UNC3944, and 0ktapus, has conducted more than 100 network intrusions since emerging around 2022. The group typically relies on social engineering tactics, including SIM swapping and impersonation of help desk personnel, to gain initial access to corporate networks. Once inside, members exfiltrate data, deploy ransomware or encryption, and demand cryptocurrency payments.
Technical methods center on human vulnerabilities rather than sophisticated code exploits. Attackers pose as employees or IT support staff to reset credentials or bypass multi-factor authentication. In one documented case tied to the group, intruders accessed a luxury jewelry retailer’s systems in May 2025, exfiltrated data, and demanded approximately $8 million in cryptocurrency. The company removed the threat actors without paying, but still incurred at least $2 million in losses from disruption and recovery efforts.
Stokes allegedly used online aliases including “Bouquet,” “Spencer,” and “Jordan” during operations. The complaint links him to at least four intrusions by the group.
The group has repeatedly targeted cryptocurrency platforms and related services, stealing digital assets including Bitcoin in some incidents. Known crypto-adjacent victims have included exchanges, wallet providers, and firms in the blockchain infrastructure space such as those handling custody or trading services. Their methods have extended to compromising third-party providers and help desks that serve DeFi and crypto companies.
Broader risks in crypto crimes include violent follow-ups.
In one notable case, six men from South Florida pleaded guilty in a Lamborghini carjacking and kidnapping linked to a $245 million Bitcoin theft by Veer Chetal. The plot targeted the thief’s family in an attempt to recover stolen crypto through extortion, highlighting how digital thefts can escalate into real-world violence.
Prior actions against the group include arrests of other young members. Noah Urban, another alleged participant, was detained in Florida in 2024 in connection with cryptocurrency thefts. Tyler Buchanan faced extradition from Spain in 2025. These cases form part of a broader pattern of law enforcement pressure on the collective under initiatives like Operation Riptide.
Law enforcement is also cracking down on crypto laundering networks.
U.S. authorities, with international partners, recently dismantled the AudiA6 operation that allegedly laundered over $389 million in illicit Bitcoin tied to ransomware and cybercrime. The arrests of its operators show continued efforts to disrupt the financial pipelines used by such groups.
The extradition highlights ongoing risks in the crypto sector, where social engineering attacks remain a primary vector for compromising user accounts and corporate infrastructure. Many protocols and exchanges have increased reliance on third-party services and remote support, creating persistent entry points that groups like Scattered Spider continue to exploit.
The FBI has warned that fraudsters in crypto scams are now sending couriers to victims’ homes to pick up cash when bank transfers are blocked. This evolution makes recovery harder and exploits the same human vulnerabilities targeted by groups like Scattered Spider.
Industry-wide, such incidents have prompted tighter controls on identity verification, SIM protections, and help desk procedures. However, the group’s adaptability and focus on human factors have allowed it to maintain activity across retail, finance, aviation, and technology sectors despite previous disruptions.