A 19-year-old alleged member of the notorious hacking collective Scattered Spider has been extradited from Finland to the United States to face charges stemming from a brazen cyber intrusion that demanded an $8 million cryptocurrency ransom. Peter Stokes, a dual citizen of the U.S. and Estonia, appeared in a Chicago federal court on July 1, 2026, charged with conspiracy, computer fraud, cyber intrusion, and wire fraud, the Department of Justice announced.
Finnish authorities arrested Stokes in April 2026 following an Interpol Red Notice. He was extradited in the last week of June and ordered held pending trial. Prosecutors say Stokes, who used the alias "Bouquet," played a key role in a May 2025 breach of an unnamed luxury jewelry retailer. The attackers social-engineered the company's IT help desk to reset employee two-factor authentication credentials, then exfiltrated sensitive data and demanded the $8 million payoff in cryptocurrency. The retailer refused to pay and security teams evicted the intruders, though the company still suffered at least $2 million in disruption and remediation costs.
The case expands a widening U.S. dragnet against Scattered Spider, a diffuse hacking group also tracked as Octo Tempest, UNC3944, and 0ktapus. Known for its heavy reliance on social engineering rather than malware, the group has been linked to over 100 intrusions and more than $100 million in crypto ransoms. Its most infamous attacks include the 2023 breaches of MGM Resorts and Caesars Entertainment, the latter of which paid a roughly $15 million ransom. Stokes joins a growing list of alleged members facing American justice: in April, accused ringleader Tyler Buchanan, 24, pleaded guilty to a phishing campaign that stole at least $8 million in crypto, while Florida’s Noah Urban was sentenced to 10 years after his activity was tied to breaches including that of the Crypto.com exchange.
The refusal to pay by the targeted jeweler aligns with a broader trend of victims increasingly rejecting crypto ransom demands. According to TRM Labs, ransomware crews extorted about $850 million in cryptocurrency in 2025, unchanged from 2024, even as victim postings on leak sites surged by 44%. Total ransomware-linked volume fell from $1.9 billion in 2024 to roughly $1.3 billion in 2025, indicating that more organizations are choosing not to capitulate to attackers.