19-year-old linked to Scattered Spider extradited to U.S.
Peter Stokes, 19, was extradited from Finland to the U.S. to face charges over an alleged May 2025 breach and an $8 million cryptocurrency ransom demand.
Peter Stokes, a 19-year-old dual U.S.-Estonian citizen, was extradited from Finland to the United States and appeared in federal court in Chicago to face charges of conspiracy, cyber intrusion and fraud. A Justice Department complaint centers on an alleged May 2025 breach of an unnamed luxury jewelry retailer and an $8 million cryptocurrency ransom demand.
According to the complaint, Stokes and alleged accomplices used social engineering to bypass the retailer’s IT help desk, reset employee two-factor authentication credentials, stole data and then demanded roughly $8 million in cryptocurrency. Security staff removed the intruders without paying the ransom. The retailer incurred at least $2 million in losses related to operational disruption and cleanup.
Finnish authorities arrested Stokes in April on an Interpol Red Notice and transferred him to U.S. custody last week. He has been ordered held pending trial.
Prosecutors characterize Scattered Spider-also identified by the names Octo Tempest, UNC3944 and 0ktapus-as a loose collective that favors social-engineering tactics over traditional malware. Members are accused of calling help desks, posing as employees to manipulate access controls, then extorting victims with cryptocurrency demands to suppress or return stolen data. Federal authorities link the same approach to multiple high-profile breaches in recent years, including major incidents affecting casino operators in 2023.
The case follows several related prosecutions. An alleged ringleader, Tyler Buchanan, pleaded guilty in April to a phishing campaign that prosecutors say stole at least $8 million in cryptocurrency. Noah Urban received a 10-year prison sentence after convictions tying him to several breaches, including one that affected a large crypto exchange. The Justice Department also filed charges against five alleged members in a separate 2024 crypto-phishing case.
Industry data show ransomware-related crypto extortion totaled about $850 million in 2025, roughly flat with the prior year, while victim data postings on leak sites rose about 44% year over year. Total ransomware-linked cryptocurrency movement fell from about $1.9 billion in 2024 to roughly $1.3 billion in 2025, with more victims refusing to pay attackers.
The complaint against Stokes focuses on the May breach of the jewelry retailer. The case is one of several federal efforts targeting criminal groups that exploit help-desk and account-recovery procedures to gain network access and demand payment in cryptocurrency.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.







