A years-long cross-border investigation into one of the world’s most disruptive modern hacking networks has led to the extradition of an alleged teen member to the United States, federal law enforcement officials confirmed this week.
The US Department of Justice (DoJ) announced Tuesday that 19-year-old Peter Stokes, a dual US-Estonian national, has been charged with multiple felonies including conspiracy, computer intrusion, and wire fraud linked to his alleged role in the transnational hacking collective Scattered Spider. Stokes was first arrested by Finnish law enforcement in April following an Interpol Red Notice, and was transferred into US custody earlier this week. He made his first appearance at a Chicago federal court on Tuesday, where a judge ordered he remain in pretrial detention.
Per DoJ allegations, Scattered Spider has carried out a years-long campaign of high-impact ransomware attacks that have generated more than $100 million in illegal ransom payments globally. The charges against Stokes build on recent progress in the case: just last month, two young men pleaded guilty to criminal charges connected to the 2024 cyberattack on Transport for London (TfL), a major breach UK investigators have directly attributed to Scattered Spider. That 2024 intrusion compromised the personal data of roughly 10 million TfL customers, causing £39 million in total damage. UK’s National Crime Agency (NCA) has also linked the group to separate 2023 cyberattacks on major British retailers Co-op and Marks & Spencer, which remain under active investigation.
Court documents outline one specific attack linked to Stokes and his co-conspirators: in 2023, the group infiltrated the network of an unnamed luxury jewelry retailer, stole sensitive internal data, and demanded an $8 million ransom paid in cryptocurrency. According to the DoJ, the retailer successfully evicted the hackers from its network and refused to pay the extortion demand. Even so, the breach still caused at least $2 million in losses stemming from business disruption, forensic investigation, and threat mitigation work.
The operation to arrest and extradite Stokes was a multinational collaboration, with joint work from FBI teams based in Copenhagen and Chicago, Finland’s National Bureau of Investigation, and Interpol. Security researchers and law enforcement have long noted that Scattered Spider is unusual among hacking groups for its membership: most members are believed to be young, native English speakers based in the United States and United Kingdom, a profile that has allowed the group to carry out socially engineered intrusions more effectively than many foreign-based criminal hacking networks.
