Scattered Spider Suspect Extradited to US Over $8M Crypto Ransom Demand

In brief
- A 19-year-old alleged Scattered Spider member, Peter Stokes, has been extradited from Finland to the U.S. to face charges of conspiracy, cyber intrusion, and fraud.
- Prosecutors say he helped breach a luxury jewelry retailer in May 2025 and demand about $8 million in cryptocurrency, though the company refused to pay.
- The group has been tied to over 100 intrusions and $100 million in crypto ransoms.
An alleged member of Scattered Spider, the prolific hacking crew behind some of the biggest corporate breaches of the past few years, has been extradited from Finland to face U.S. charges over an $8 million cryptocurrency ransom demand.
Peter Stokes, 19, a dual U.S. and Estonian citizen, appeared in Chicago federal court on Tuesday on conspiracy, cyber intrusion, and fraud charges, according to a statement by the Justice Department. Finnish police arrested him in April on an Interpol Red Notice, and he was extradited last week and ordered held pending trial.
Alleged Member of Criminal Cyber Hacking Group “Scattered Spider” Arrested in Finland and Extradited to United States @FBIChicago @DOJCrimDiv https://t.co/DWs2d9fns0
— U.S. Attorney’s Office (NDIL) (@NDILnews) July 1, 2026
The complaint centers on a May 2025 breach of an unnamed luxury jewelry retailer. According to the indictment, Stokes and alleged accomplices talked their way past the company’s IT help desk to reset employee 2FA credentials, then stole data and demanded about $8 million in crypto. Security staff evicted them and never paid, though the retailer still lost at least $2 million to disruption and cleanup.
A widening dragnet
Scattered Spider, also known as Octo Tempest, UNC3944, and 0ktapus, is a loose collective of hackers that prosecutors say has carried out more than 100 intrusions and collected over $100 million in ransoms. Its hallmark is social engineering rather than malware: members phone help desks, pose as staff, then extort crypto to unlock or suppress stolen data. The tactics powered 2023’s attacks on MGM Resorts and Caesars Entertainment, the latter of which paid a roughly $15 million ransom.
Stokes joins a lengthening list of members in U.S. courts. Alleged ringleader Tyler Buchanan, a 24-year-old Scot, pleaded guilty in April to a phishing spree that stole at least $8 million in crypto, and Florida’s Noah Urban was sentenced to 10 years after reporting tied him to breaches including crypto exchange Crypto.com. The DOJ charged five alleged members in a separate 2024 crypto-phishing case.
Crypto ransoms around the world
The jeweler’s refusal to pay mirrors a broader shift in responses to crypto ransom demands. Ransomware crews extorted about $850 million in crypto in 2025, flat from a year earlier, even as victim postings on leak sites jumped 44%, according to TRM Labs. While the threat landscape has expanded due to lower barriers to entry for criminals, TRM Labs reported that total ransomware-linked volume fell to roughly $1.3 billion from $1.9 billion in 2024, as victims “increasingly refusing to pay their attackers.”