Meet “Bouquet,” the teenage Scattered Spider hacker now facing US charges


A teenage hacker accused of being part of the notorious Scattered Spider ransomware group has been extradited from Finland to the US and is now facing multiple federal hacking and fraud charges.

Key takeaways:

The US Department of Justice (DoJ) on Wednesday announced that 19-year-old Peter Stokes – a dual citizen of the US and Estonia – was extradited last week, making his first appearance in a Chicago federal court on Tuesday.

ADVERTISEMENT

Prosecutors say Stokes – allegedly operating under the online persona "Bouquet" – is an active member of Scattered Spider; the English-speaking cybercrime group accused of carrying out more than "100 network intrusions" since March 2023, extorting more than $100 million in ransom payments from its victims.

“Scattered Spider has repeatedly targeted US companies, extorting employees, inflicting millions of dollars in losses, and disrupting essential operations,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division.

According to the criminal complaint, unsealed Tuesday, Stokes faces a slew of charges including conspiracy to commit wire fraud, conspiracy to commit computer fraud and abuse, wire fraud, and aggravated identity theft.

The court filings show charges stemming from four specific cyber incidents, including one high-end jewelry retailer heist involving an $8 million ransom demand, as well as the seizure of two 2TB hard drives. The earliest attack taking place when Stokes was just 16 years old.


According to an earlier report by the Chicago Tribune, Stokes was arrested on April 10 in Helsinki while trying to board a flight to Tokyo. The FBI was said to have been building a case against the teen hacker for months.


A judge has ordred the teen to remain in custody. If convicted on all six counts, Stokes could face up to 47 years in federal prison, along with fines and restitution.

Inside Scattered Spider's social engineering tactics

ADVERTISEMENT

Scattered Spider has been linked to several widely publicized hacks over the years, including the 2023 cyberattacks on MGM Resorts and Caesars Entertainment in Las Vegas.

The group has also been blamed for the devastating months-long ransomware attacks on British retailer Marks & Spencer and Jaguar Land Rover (JLR) last year, carried out by the rebranded “Scattered, LAPSUS$ Hunters” hacker collective. Those attacks led to financial losses totaling over $300 million and $2.5 billion, respectively.

Jaguar, Land Rover and hackers
Image by Priyanshu Singh | Reuters / Telegram

The cybercriminal group is known for using sophisticated social engineering attacks to trick employees into giving up their credentials, ultimately allowing the hackers to gain unfettered access to their employers' corporate networks.

Once in the IT system, Scattered Spider is known not only for stealing and encrypting the victim’s data but also for rendering those systems inoperable, while pressuring the victim to pay an exorbitant ransom all in cryptocurrency.

In the jewelry store attack, the DoJ says Stokes and his fellow gang members breached the company’s systems using an IT help desk scheme in May 2025 – a known tactic used by the savvy hackers.

Scattered Lapsus$ Hunters
Image by Cybernews.

Scatterd Spider allegedly called the company's IT help desk, impersonated an employee, reset credentials, and gained access, prosecutors said.

After exfiltrating 100GB of data, the group demanded an $8 million payout but was left empty-handed when the company’s security teams booted the hackers from its computer systems.

Although no ransom was ever paid, the DoJ says the high-end retailer still suffered at least $2 million in losses from the business disruptions, investigations, and recovery costs.

ADVERTISEMENT

CISA warned Scattered Spider was expanding its playbook

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning advisory detailing the groups’ tactics, techniques, and procedures (TTPS) last July, following an escalation in successful attacks across many sectors, ranging from retail to airlines to manufacturing.

The group had stepped up its signature attacks on IT help desk workers, moving from targeting direct employees to targeting IT workers at third-party vendors, enabling it to infiltrate multiple companies from a single breach.

The cybercriminals were found targeting companies’ Snowflake accounts for initial network access, as well as Slack, Microsoft Teams, and Microsoft Exchange email accounts to gather intelligence to spear-phish employees.

“The malicious attacks from Scattered Spider caused widespread disruption to businesses and organizations throughout the United States,” said US Attorney Andrew S. Boutros for the Northern District of Illinois.

“These charges underscore our unwavering commitment to keeping pace with technologically savvy criminal actors and holding accountable those who seek to profit from cyber intrusions, including those located in foreign jurisdictions who do harm to American businesses and victims,” Boutros said.

The arrest and subsequent extradition were carried out in coordination with Interpol and Finnish authorities as part of the FBI’s Operation Riptide, an ongoing campaign targeting criminal actors, infrastructure, and the financial networks that support them.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube