Home
Blog
Another Scattered Spider bust – Bling-swinging suspect extradited to US

Another Scattered Spider bust – Bling-swinging suspect extradited to US

Paul Ducklin
07/03/2026
Share this article:

Yet another teenager suspected of being part of a multi-million-dollar cyberextortion gang is to face court, after being arrested in Finland back in April 2026 and extradited to the US this week.

Peter Stokes, despite being just 19 now, is alleged to have been actively involved in cybercrime “from in or around 2023 to in or around 2026,” operating under the gangster nicknames of Bouquet, Spencer, and Jordan.

Perhaps you’re wondering just how much money these ransomware gangs, frequently involving surprisingly young criminals with astonishingly flash and bling-filled lifestyles, are extracting from the global economy through blackmail?

Well, the FBI investigator’s indictment in this case claims that:

The group has been referred to as Scattered Spider, Octo Tempest, UNC3944, and/or 0ktapus. It has targeted victims throughout the United States, including in the [greater Chicago area,] as well as [more that 20 companies,] certain of which are discussed further [in this indictment]. Scattered Spider has been involved with over 100 network intrusions, resulting in more than approximately $100 million in ransom payments as well as millions of dollars in damages to the victims.

The investigator’s allegations continue:

Stokes, in recent years, exhibited substantial wealth for a person his age, boasted about his international travel and wealth, and [posted about] apprehended Scattered Spider members. For example, images from Facebook and Snapchat suggest Stokes traveled to Paris, Italy, Spain, Germany, New York, Florida, New Mexico, Thailand, and Dubai, and stayed in multiple luxury hotels, between 2024 and 2025, when [he] was between about 17 and 18 years’ old. Much of this travel is confirmed by State Department travel records. Images from [his Snapchat] also show Stokes possessing numerous watches and substantial cash, as well as apparently diamond-encrusted chains with the words HACK THE PLANET.

The indictment is a fascinating (if disturbing) read, explaining how the authorities tracked down the suspect despite his use of VPNs.

(Hint: posting bling-o-grams to social media can count against you in a court of law, and hiding your face behind a giant fan of banknotes in a selfie doesn’t always work either.)

Exploits versus Entropy?

This case is a serious reminder of why it’s vital to get the basics right before you allow your company to get distracted by “wargaming nation-state attacks,” as David Emerson humorously put it in our recent podcast episode Exploits versus Entropy.


LISTEN NOW: Exploits versus EntropyAnother Scattered Spider bust - Bling-swinging suspect extradited to US - SolCyber

No audio player showing above? Try clicking here to listen in a new browser tab, or read the full transcript instead.


In a 2025 cyberintrusion in which Stokes is alleged to have been an active participant:

The intrusion incident began […] with several phishing calls to the [victim’s IT helpdesk …] from two Google Voice phone numbers. The threat actors pretended to be [employees] and requested a reset of their authentication credentials, including the password and mobile device for multifactor authentication. Using this phishing technique, the threat actors compromised three [company] user accounts within approximately two to three
hours.

Two of those accounts, it seems, belonged to sysadmins whose access rights allowed them to promote themselves temporarily to full-on admin-level powers to carry out network administration tasks.

This is a wise approach, because it means that no one needs to stay logged in as admin all the time, while also avoiding the use of a single admin-level account by every sysadmin, thereby maintaining accountability.

The unfortunate outcome, of course, was that once the criminals acquired user-level access credentials for those accounts, they could carry out network-wide havoc under cover of the real sysadmins, leaving the immediate finger of guilt pointing at innocent parties.

The crooks apparently also managed to increase the apparent legitimacy of these nefarious activities by initiating them from servers inside one of the the company’s own data centers, attempting to disguise their true locations and identities using a popular, cloud-based remote access provider.

Demanding money with menaces

The indictment claims that the attackers managed to exfiltrate (a fancy word for “steal”) at least 77GB of data, which the criminals rounded up to 100GB and used to initiate their blackmail: “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic], […] including raw card information and payment details.”

About two weeks later, the criminals issued a further demand, saying, “We are wanting to push things forward, after some consideration $8million seems like a good price. Let us know what you think.”

The victim didn’t think much of this at all, paid nothing, and didn’t communicate with the attackers again, but the FBI suggests that “the losses due to business disruption, investigation, and mitigation were approximately $2 million, and further losses were expected.”

Cynics might argue that this figure of $2,000,000 includes money that the victim might reasonably have spent in advance to reduce the risk of attack to a safer level, but there’s no doubt that at least some, and perhaps most, of this cost was a direct and entirely intentional side-effect of the criminals’ actions.

The criminals deliberately and maliciously triggered looming and immediate costs that they hoped the victim might be willing to try to sidestep by paying a similar amount in hush money to buy time and silence.

But the extortion didn’t work because the victim company, to its credit, refused to bend to blackmail.

What to do?

  • Give law enforcement a thumbs-up for getting this far.
  • Read the indictment. It’s a fascinating tale, objectively told, that provides many useful insights into operational practices such as password resets that you might do well to revisit in your own business.
  • Watch this space to see where the case goes. Faced with strong evidence, including self-posted images from social media and detailed records that unshroud their anonymity, some cybercriminals of this sort agree to plead guilty, but can still expect heavy sentences.
  • Listen to our Exploits versus Entropy podcast for entertainingly good-humored but actionable advice on how to improve your operational resilience without drowning in technology or buying “more tools, more tools.”

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Another Scattered Spider bust - Bling-swinging suspect extradited to US - SolCyber


More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Paul Ducklin
Paul Ducklin
07/03/2026
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Choose identity-first managed security.

We start with identity and end with transparency — protecting where attacks begin and keeping you informed, with as much visibility as you want. No black boxes, just clear, expert-driven security.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

©
2026
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber DPM++

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

14494