Peter Stokes, a 19-year-old dual citizen of the US and Estonia, was arrested earlier this month in Finland while attempting to board a flight to Japan, and prosecutors allege he is a prolific member of the loosely connected international hacking collective known as Scattered Spider.
According to a criminal complaint obtained by the Chicago Tribune, the arrest happened on April 10 as Stokes prepared to fly to Tokyo. However, authorities were building a federal case against him for months. Stokes was charged in a six-count complaint filed under seal in December with wire fraud, conspiracy, and computer intrusion, and authorities are now working to have him extradited to Chicago.
Stokes’s extradition would be the second tied to a member of the Scattered Spider hacker group. Last week, Tyler Robert Buchanan, a 24-year-old British hacker, admitted to a multi-year US hacking scheme involving at least $8 million in crypto theft. Buchanan was arrested in Spain and extradited to the United States.
The “Bouquet” Persona and A Teenager’s Flashy Double Life
Authorities allege that Stokes used the alias “Bouquet” for his online activities. He lived a lavish, jet-set lifestyle, traveling from Dubai to Thailand to New York, staying in five-star hotels, and openly displaying cash and jewelry.
He also mocked the FBI in posts and messages, posting memes depicting his crew as mafia bosses and photos of himself wearing a diamond-studded necklace that spelled out in giant letters “HACK THE PLANET.”
According to the complaint cited by the Chicago Tribune, Stokes, the son of a prominent European businessman, displayed unusual wealth for his age in recent years. Investigators say he posted photos on Facebook and Snapchat showing trips across Europe and to Mexico, Thailand, and Dubai.
Authorities also highlighted a meme they consider revealing. Stokes shared an image from the TV show The Sopranos, edited with the aliases of alleged Scattered Spider members over different characters. In the version included in the charges, his first name, “Peter,” is placed over Carmine Lupertazzi Sr., a fictional New York crime boss.
Mocking Federal Investigators
Stokes and his alleged co-conspirators appeared to treat federal investigators more as a joke than a threat. The complaint says he and other Scattered Spider members exchanged memes and messages mocking law enforcement tracking them. In one example cited by investigators, a co-conspirator sent Stokes an image in 2024 showing repeated failed login attempts alongside the message “F— off, FBI.”
The taunting continued as the investigation closed in. In a January 2025 exchange, Stokes sent a co-conspirator images of a police station in Estonia with the caption, “Feel like Raymond Reddington season 1 episode 1 rn,” a reference to Raymond Reddington from The Blacklist, played by James Spader, who turns himself in to the FBI while offering to help catch high-profile criminals.
The Alleged Hacks
The charges allege Stokes took part in at least four Scattered Spider intrusions, including one when he was 16, causing millions of dollars in losses. His earliest alleged attack followed a common social engineering tactic.
In March 2023, just months after his 16th birthday, Stokes allegedly targeted an online communications platform identified as “Company H” by requesting a reset of an employee’s two-factor authentication. Investigators say encrypted chats show him coordinating with an accomplice as they accessed sensitive data, including employee identification information.
A later incident revealed that in May 2025, Stokes allegedly helped breach a multibillion-dollar luxury retailer by calling the company’s IT help desk and posing as an employee to reset credentials. The attackers then accessed administrator accounts, claiming to have stolen 100GB of data, and demanded $8 million. The company refused to pay but still reported more than $2 million in losses from disruption and recovery.
Who is Scattered Spider?
Scattered Spider is a transnational cybercrime group that targets large companies and their IT help desks, steals sensitive data, and uses it for extortion. Also known as Octo Tempest, the group is largely made up of teenagers and young adults. It emerged in 2022 in the US and UK and has since spread across Europe and Australia.
Its victims include major retailers, airlines, and gaming companies such as MGM Resorts. According to the Federal Bureau of Investigation, members rely on tactics like social engineering, phishing, MFA bombing, and SIM swapping rather than advanced malware.
Arrests
Stokes is the latest in a series of arrests linked to the group. Tyler Robert Buchanan, described as a senior member, pleaded guilty in California to hacking US companies and stealing at least $8 million in cryptocurrency. Earlier, Noah Michael Urban was sentenced to 10 years in prison after pleading guilty to fraud and conspiracy charges.
UK authorities have also made arrests. In July 2024, police detained a 17-year-old suspect linked to the 2023 attack on MGM Resorts. Other breaches attributed to the group include Caesars Entertainment, Riot Games, Mailchimp, Twilio, DoorDash, and Reddit.
