Peter Stokes, a 19-year-old dual US-Estonian citizen, was extradited from Finland to face federal charges in Chicago connected to the notorious Scattered Spider cybercrime group. The Department of Justice announced the extradition on July 1, marking another scalp in the government’s slow but steady campaign against one of the most prolific hacking collectives in recent memory.
Stokes made his initial court appearance in the Northern District of Illinois on June 30, where a judge ordered him detained pending further proceedings. He faces charges of conspiracy, computer intrusion, and fraud.
Inside the case against Stokes
Stokes, who allegedly operated under the aliases “Bouquet,” “Spencer,” and “Jordan,” was arrested in April 2026 under an Interpol Red Notice. He is connected to at least four cyber intrusions attributed to the group, including a significant breach of a jewelry retailer in 2025.
The group, which goes by a rotating wardrobe of names including UNC3944, ShinyHunters, 0ktapus, and Octo Tempest, is linked to more than 100 network intrusions. Those breaches have collectively generated over $100 million in ransom payments.
Scattered Spider has repeatedly targeted cryptocurrency platforms and stolen digital assets, including Bitcoin. Their toolkit relies heavily on social engineering, SIM swapping, and malware deployment.
A pattern of arrests, finally
Scattered Spider emerged around 2022-2023 and primarily targeted retail, technology, airlines, and crypto platforms.
Noah Urban, another alleged member, was arrested in Florida in 2024 in connection with cryptocurrency theft. Tyler Buchanan was extradited from Spain to the US in 2025.
The extradition was part of a broader international law enforcement initiative called Operation Riptide.
What this means for crypto investors
No specific cryptocurrencies or tokens are directly implicated in the charges against Stokes.
SIM swapping remains one of the most effective attack vectors against individual crypto investors. The method works by convincing a mobile carrier to transfer a victim’s phone number to a new SIM card, which then intercepts two-factor authentication codes.
Click Here For The Original Source.
