An alleged member of Scattered Spider, the notorious hacking crew blamed for several of the biggest corporate breaches in recent years, has been extradited from Finland to the United States. The group is accused of breaking into dozens of companies, and now one of its young members must answer in an American court over a cryptocurrency ransom demand of around $8 million.
Peter Stokes, 19, who holds both US and Estonian citizenship, appeared in a Chicago federal court on Tuesday. According to a Justice Department statement, he faces charges of conspiracy, cyber intrusion, and fraud. Finnish police arrested him in April on an Interpol Red Notice. He was flown to the US last week and ordered held until his trial.
How the Jewelry Retailer Was Breached
The case stems from a May 2025 attack on a luxury jewelry retailer whose name has not been released. Prosecutors say Stokes and his accomplices talked their way past the company's IT help desk and got employee 2FA credentials reset. They then stole data and demanded about $8 million in cryptocurrency. The company's security team threw the intruders out and never paid a cent, but the retailer still absorbed at least $2 million in losses from the disruption and cleanup.
What Sets Scattered Spider Apart
Scattered Spider also goes by the names Octo Tempest, UNC3944, and 0ktapus. It is a loose collective of hackers that prosecutors say has carried out more than 100 intrusions and collected over $100 million in ransoms. Its signature is social engineering rather than malware. Members phone help desks, pose as staff, and then extort cryptocurrency in exchange for unlocking or suppressing stolen data. These same tactics fueled the 2023 attacks on MGM Resorts and Caesars Entertainment, with Caesars paying a ransom of roughly $15 million.
More Members Facing US Courts
Stokes joins a growing list of members appearing before US courts. Alleged ringleader Tyler Buchanan, a 24-year-old from Scotland, pleaded guilty in April to a phishing spree that stole at least $8 million in cryptocurrency. Florida's Noah Urban was sentenced to 10 years, with his name linked to breaches including the crypto exchange Crypto.com. The Justice Department charged five alleged members in a separate 2024 crypto-phishing case.
A Shift Away From Paying Ransoms
The jeweler's refusal to pay reflects a wider change in how targets are responding to crypto ransom demands. According to TRM Labs, ransomware crews extorted about $850 million in cryptocurrency in 2025, essentially flat from the year before, even as victim postings on leak sites jumped 44%. While the threat has grown because it is now easier for criminals to get started, TRM Labs said total ransomware-linked volume fell to roughly $1.3 billion from $1.9 billion in 2024, as victims increasingly refuse to pay their attackers.













