At a glance
- Actor or Group: Scattered Spider (Octo Tempest, UNC3944, 0ktapus)
- Activity Type: Data extortion, computer intrusion, and fraud
- Targets or Victims: Over 100 US corporate networks
- Scale: Over $100 million in claimed ransom payments
- Jurisdiction: Extradited from Finland, federal charges in Illinois
- Source: US Department of Justice (DOJ)
TL;DR
A 19-year-old dual citizen of the United States and Estonia has been extradited from Finland to Chicago. This Scattered Spider arrest marks a major step forward against a hacking group accused of massive extortion. Peter Stokes faces conspiracy, computer intrusion, and fraud charges.
What Happened
Authorities arrested Stokes in Finland this past April under an Interpol Red Notice. Following this notable Scattered Spider arrest, he was flown to the United States last week. Stokes appeared in a Chicago federal court on Tuesday and remains detained in law enforcement custody. This extradition stems from ongoing work by international police and the FBI.
Who is Behind It
Prosecutors allege Stokes is a key member of Scattered Spider. Threat analysts also track this cybercriminal syndicate as Octo Tempest, UNC3944, and 0ktapus. The FBI suspects the group breaches corporate networks by deceiving employees and stealing their credentials. “The malicious attacks from Scattered Spider caused widespread disruption to businesses and organizations throughout the United States,” stated U.S. Attorney Andrew S. Boutros.
Impact or Scale
The Department of Justice estimates that the group caused immense financial harm. They allegedly collected more than $100 million in ransom payments while causing millions more in operational damages. A prominent incident in May 2025 involved an unnamed luxury jewelry retailer. Stokes and his alleged co-conspirators reportedly breached the retailer, stole sensitive data, and demanded an $8 million cryptocurrency ransom. The retailer refused to pay. However, the company still suffered at least $2 million in losses related to business disruption and threat mitigation.
What Comes Next and Protection
The justice system will now pursue prosecution against Stokes in the Northern District of Illinois. Law enforcement warns that enterprises must remain vigilant against social engineering tactics. To stay protected, security teams should implement phishing-resistant multifactor authentication. Furthermore, companies must train staff to identify deceptive communication and verify help-desk requests thoroughly.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.