A suspected member of the cybercriminal group known as Scattered Spider has been extradited to the United States to face charges linked to an alleged ransomware and computer intrusion scheme targeting a luxury jewelry retailer, US authorities announced on Wednesday.
Peter Stokes, 19, a dual US-Estonian citizen, was arrested in Finland in April before being extradited to the United States. He appeared before a federal court in Chicago on Tuesday, where a judge ordered that he remain in custody while the case proceeds.
According to the US Department of Justice, Stokes faces charges of conspiracy, computer intrusion and fraud. Prosecutors allege he worked with other members of the hacking group during an attack on a luxury jewelry company in May 2025.
Court documents claim the attackers infiltrated the retailer’s computer systems, stole sensitive company data and demanded approximately $8 million in cryptocurrency to prevent the information from being released. The company refused to pay the ransom after its cybersecurity team successfully removed the hackers from its network.
Although no ransom was paid, investigators said the business still suffered losses of at least $2 million due to operational disruption, forensic investigations and efforts to strengthen its security systems following the attack.
US authorities identify Scattered Spider as a sophisticated cybercrime group that has operated under several names, including Octo Tempest, UNC3944 and 0ktapus. The group is known for targeting major companies through ransomware attacks, data theft and extortion campaigns.
The FBI has linked Scattered Spider to more than 100 cyber intrusions, estimating that its activities have resulted in over $100 million in ransom payments, along with millions more in financial damage caused by business interruptions and recovery efforts.
The group has been connected to several high-profile cyberattacks in both the United States and the United Kingdom.
Last month, two men in the UK admitted carrying out a cyberattack on Transport for London (TfL), the public body responsible for the capital’s transport network. Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to breaching TfL’s systems between August 31 and September 3, 2024.
The UK’s National Crime Agency said the attack forced all 28,000 TfL employees to attend offices to reset their passwords. TfL estimated the cyberattack resulted in around £29 million in losses and recovery costs.
Paul Foster, head of the National Cyber Crime Unit at the National Crime Agency, said the cases highlight the growing threat posed by English-speaking cybercriminal groups such as Scattered Spider. He said the profile of the offenders reflects an increasingly sophisticated and dangerous cybercrime landscape that continues to target major organisations around the world.
US prosecutors have not announced a trial date for Stokes, whose case remains under investigation.
