
What Modern Insider Threats Look Like
We tend to focus so much on external cybersecurity threats that we forget about insiders.


Yet another teenager suspected of being part of a multi-million-dollar cyberextortion gang is to face court, after being arrested in Finland back in April 2026 and extradited to the US this week.
Peter Stokes, despite being just 19 now, is alleged to have been actively involved in cybercrime “from in or around 2023 to in or around 2026,” operating under the gangster nicknames of Bouquet, Spencer, and Jordan.
Perhaps you’re wondering just how much money these ransomware gangs, frequently involving surprisingly young criminals with astonishingly flash and bling-filled lifestyles, are extracting from the global economy through blackmail?
Well, the FBI investigator’s indictment in this case claims that:
The group has been referred to as Scattered Spider, Octo Tempest, UNC3944, and/or 0ktapus. It has targeted victims throughout the United States, including in the [greater Chicago area,] as well as [more that 20 companies,] certain of which are discussed further [in this indictment]. Scattered Spider has been involved with over 100 network intrusions, resulting in more than approximately $100 million in ransom payments as well as millions of dollars in damages to the victims.
The investigator’s allegations continue:
Stokes, in recent years, exhibited substantial wealth for a person his age, boasted about his international travel and wealth, and [posted about] apprehended Scattered Spider members. For example, images from Facebook and Snapchat suggest Stokes traveled to Paris, Italy, Spain, Germany, New York, Florida, New Mexico, Thailand, and Dubai, and stayed in multiple luxury hotels, between 2024 and 2025, when [he] was between about 17 and 18 years’ old. Much of this travel is confirmed by State Department travel records. Images from [his Snapchat] also show Stokes possessing numerous watches and substantial cash, as well as apparently diamond-encrusted chains with the words HACK THE PLANET.
The indictment is a fascinating (if disturbing) read, explaining how the authorities tracked down the suspect despite his use of VPNs.
(Hint: posting bling-o-grams to social media can count against you in a court of law, and hiding your face behind a giant fan of banknotes in a selfie doesn’t always work either.)
This case is a serious reminder of why it’s vital to get the basics right before you allow your company to get distracted by “wargaming nation-state attacks,” as David Emerson humorously put it in our recent podcast episode Exploits versus Entropy.

In a 2025 cyberintrusion in which Stokes is alleged to have been an active participant:
The intrusion incident began […] with several phishing calls to the [victim’s IT helpdesk …] from two Google Voice phone numbers. The threat actors pretended to be [employees] and requested a reset of their authentication credentials, including the password and mobile device for multifactor authentication. Using this phishing technique, the threat actors compromised three [company] user accounts within approximately two to three
hours.
Two of those accounts, it seems, belonged to sysadmins whose access rights allowed them to promote themselves temporarily to full-on admin-level powers to carry out network administration tasks.
This is a wise approach, because it means that no one needs to stay logged in as admin all the time, while also avoiding the use of a single admin-level account by every sysadmin, thereby maintaining accountability.
The unfortunate outcome, of course, was that once the criminals acquired user-level access credentials for those accounts, they could carry out network-wide havoc under cover of the real sysadmins, leaving the immediate finger of guilt pointing at innocent parties.
The crooks apparently also managed to increase the apparent legitimacy of these nefarious activities by initiating them from servers inside one of the the company’s own data centers, attempting to disguise their true locations and identities using a popular, cloud-based remote access provider.
The indictment claims that the attackers managed to exfiltrate (a fancy word for “steal”) at least 77GB of data, which the criminals rounded up to 100GB and used to initiate their blackmail: “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic], […] including raw card information and payment details.”
About two weeks later, the criminals issued a further demand, saying, “We are wanting to push things forward, after some consideration $8million seems like a good price. Let us know what you think.”
The victim didn’t think much of this at all, paid nothing, and didn’t communicate with the attackers again, but the FBI suggests that “the losses due to business disruption, investigation, and mitigation were approximately $2 million, and further losses were expected.”
Cynics might argue that this figure of $2,000,000 includes money that the victim might reasonably have spent in advance to reduce the risk of attack to a safer level, but there’s no doubt that at least some, and perhaps most, of this cost was a direct and entirely intentional side-effect of the criminals’ actions.
The criminals deliberately and maliciously triggered looming and immediate costs that they hoped the victim might be willing to try to sidestep by paying a similar amount in hush money to buy time and silence.
But the extortion didn’t work because the victim company, to its credit, refused to bend to blackmail.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

We tend to focus so much on external cybersecurity threats that we forget about insiders.

You’ve put a lock on your door. Why not add eight more, just to be sure? The cybersecurity industry will sell you as many tools as you are willing to buy, so why not run them all?

As SMEs look to find new ways of being cost-effective, efficient, and reaching broader audiences, they often turn to digitalization. While an expanding digital environment presents more growth opportunities for businesses, it also creates problems for leaders who are looking to manage and maintain risk. This often emerges in the form of an increased attack surface and a rise in common vulnerabilities and high risk vulnerabilities. This can result in potential threats reaching your network, becoming a major business risk […]

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.






