Search TorWire

Find cybersecurity guides and research articles

Home > News > Cybersecurity > DOJ Extradites Alleged Scattered Spider Hacker to Face Ransomware Charges

DOJ Extradites Alleged Scattered Spider Hacker to Face Ransomware Charges

By: Morgan Cipher Senior Privacy Journalist

Last updated: July 2, 2026

Human Written
DOJ Extradites Alleged Scattered Spider Hacker to Face Ransomware Charges
  • The DOJ announced that they extradited a 19-year-old suspected Scattered Spider member from Finland to face charges in Chicago for a May 2025 ransomware attack.

  • The attack, which sought $8 million in ransom from a luxury jewelry company, resulted in $2 million worth of damages despite its failure.

  • This case is one of many under Operation Riptide, an FBI initiative against cybercrime that rips off billions of dollars from Americans every year.

U.S. prosecutors have extradited a suspected member of one of the world’s most dangerous hacking crews to Chicago. He allegedly committed grave crimes in connection with the cyber attack on the luxury store.

The authorities brought the 19-year-old to the US from Finland last week following his arrest by Finnish authorities in April. He faces charges of conspiracy, fraud, and computer intrusion.

Details of the Charges Against the Suspect

Peter Stokes holds citizenship from both the US and Estonia. On June 30, Peter was arraigned at the federal court in Chicago following his extradition.

The charges levied against Stokes pertain to just one event. The prosecution claims that Peter and his gang hacked into the computer system of an upscale jeweler in May. They stole information and extorted $8 million in cryptocurrencies. They threatened to release the stolen data if the company did not pay.

The company refused to pay, and its security team revoked the attackers’ access before they could negotiate any ransom. Still, the attack resulted in $2 million in losses for the company due to disruption in their business, investigations, and recovery efforts. Court records didn’t mention the name of the retailer.

The Scattered Spider Group Remains a Top Target

Authorities have linked Scattered Spider to over 100 network intrusions. Based on estimates, this hacker group has collected over $100 million in ransom from victims. Security researchers believe they go by many names, such as Octo Tempest, UNC3944, and 0ktapus.

The group gained global attention after attacking major casino operators in 2023. Since then, their targets have expanded. They now hit retailers, tech firms, telecom companies, airlines, and cryptocurrency holders.

Prosecutors say group members use a common tactic. They trick company help desks or employees into giving them access. Once inside, they steal sensitive data. Sometimes they encrypt company systems. Then they demand cryptocurrency payments.

Investigators believe the group’s members are loosely connected. They are not a traditional organized crime syndicate. Many members are young and spread across different countries. This makes investigations more difficult.

International Teamwork Made the Arrest Possible

Finnish authorities arrested Stokes in April after the United States obtained an Interpol Red Notice. He stayed in Finland until his extradition in late June.

Several agencies worked together on the case. The agencies involved in this raid were the Office of International Affairs of the Department of Justice, the Finnish National Bureau of Investigation, the FBI Chicago Field Office, and the Copenhagen Legal Attaché Office of the FBI.

The Department of Justice called this incident an example of increased international cooperation. This teamwork is especially important when suspects operate across multiple countries.

Part of a Larger Crackdown on Cybercrime

This case is part of Operation Riptide, the FBI’s initiative to combat all manner of cybercrime, financial fraud, and the financial infrastructure supporting each of these crimes. Cybercrime cost Americans more than $20 billion last year, a 26% increase over the year before. This statistic illustrates why this initiative is necessary.

The global crackdown extends beyond individual arrests; the LeakBase forum, a hub for cybercriminal activity, was recently shut down in a coordinated international operation.

Operation Riptide combines multiple approaches. It includes criminal investigations, international partnerships, tracking of financial transactions and disruption of infrastructure used by these crooks. The operation also uses many other methods to pursue the activities of cyber criminals, no matter where in the world they may operate from.

Assistant Attorney General A. Tysen Duva stated this case demonstrates the importance of international cooperation. FBI Cyber Division Assistant Director Brett Leatherman added the FBI will continue to partner with both domestic and international law enforcement to locate, investigate, and prosecute cybercriminals no matter where they hide.

Not the First Scattered Spider Prosecution

Stokes is not the first suspected Scattered Spider member to face charges. In 2024, a few other suspected members faced charges, according to the Justice Department’s announcement. This reflected a broader effort to identify individual participants.

Prosecutors are not just focusing on dismantling technical infrastructure. They are going after the people behind the attacks.

Investigators have tied many other alleged intrusions to Stokes, with many attempts dating back several years. However, an attack on jewelry stores in 2025 is among the most recent ones.

What Happens Next

The case now moves through the federal court system in Illinois. The prosecution needs to prove the charges beyond a reasonable doubt.

The Justice Department emphasizes that the charges at hand are allegations only. Stokes remains innocent until the court proves otherwise.

In this case, there is yet another example of how law enforcement combats cybercrime. The arrest of the individual shows that international borders do not provide protection for hackers anymore.

Share this article

About the Author

Morgan Cipher

Morgan Cipher

Senior Privacy Journalist

Morgan combines a journalist’s curiosity with a security specialist’s precision. His reporting on data breaches, privacy laws, and encryption tech has been featured in several tech publications. At TorWire, he focuses on real-world threats and how to counter them, always with an eye on what’s next in digital privacy.

Comments (0)

No comments.