Full Report
A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice announced on July 1. Peter Stokes, 19, a dual U.S. and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish police
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
* **Actor Name:** Scattered Spider
* **Aliases:** Octo Tempest, UNC3944, 0ktapus
* **Individual Identified:** Peter Stokes (19-year-old dual U.S. and Estonian citizen)
* **Actor Handles:** "Bouquet" (Peter Stokes)
* **Associated Individuals:**
* Tyler Buchanan (Scotland)
* Noah Urban (Florida)
* Thalha Jubair (U.S./U.K.)
* Owen Flowers (U.K.)
* **Group Characteristics:** A loose, mostly English-speaking collective of young individuals (many teenagers) based in the U.S., U.K., and Europe.
## Activity Summary
* **Peter Stokes Case (July 2026):** Extradited from Finland to the U.S. to face charges including conspiracy and computer intrusion. He is linked to at least four major intrusions dating back to when he was 16.
* **Luxury Jewelry Retailer Breach (May 2025):** Exfiltration of data and a $8 million cryptocurrency ransom demand.
* **MGM Resorts & Caesars Entertainment (2023):** High-profile attacks that shut down casino and hotel systems.
* **Recent Campaigns (2024-2025):** Attacks on U.K. retailers (Marks & Spencer, Harrods, Co-op), U.S. insurers, airlines, and health systems (SSM Health, Sutter Health).
* **Total Impact:** Involved in over 100 network intrusions resulting in more than $100 million in ransom payments.
## Tactics, Techniques & Procedures
* **Social Engineering (Help Desk Fraud):** Calling a company's IT help desk pretending to be an employee to trick staff into resetting passwords or approving MFA logins.
* **Phishing:** Orchestrating phishing campaigns to steal credentials and cryptocurrency.
* **Data Extortion:** Stealing sensitive files and threatening public leaks unless a ransom is paid.
* **Lurking:** Joining internal corporate chat tools and monitoring incident response calls to observe how the organization is hunting them.
* **Persistence:** Using stolen credentials to maintain long-term access.
## Targeting
* **Sectors:** Casinos & Hospitality, Retail, Insurance, Airlines, Healthcare, Technology (IT/SaaS).
* **Geography:** Primarily United States and United Kingdom.
* **Victims:** MGM Resorts, Caesars Entertainment, Marks & Spencer, Harrods, Co-op, Twilio, LastPass, Transport for London, SSM Health, Sutter Health, and various luxury jewelry retailers.
## Tools & Infrastructure
* **Infrastructure:** Extensive use of Interpol Red Notices for law enforcement tracking.
* **Exfiltration:** Large capacity storage (e.g., 2-terabyte hard drives seized for data staging).
* **Currencies:** Primarily Cryptocurrency (Bitcoin/Ethereum) for ransom payments.
## Implications
Scattered Spider represents a shift in the threat landscape where high-level technical exploits are bypassed in favor of sophisticated social engineering. The group’s ability to "out-talk" security protocols makes them particularly dangerous to large enterprises with decentralized help desks. While law enforcement is successfully unmasking individual members, the playbook is being widely adopted by other criminal groups, indicating that the "Scattered Spider" methodology will persist even if the original members are incarcerated.
## Mitigations
* **Strict Identity Verification:** Implement more rigorous verification processes for IT help desk password resets (e.g., visual verification or manager approval).
* **Phishing-Resistant MFA:** Deploy hardware security keys (FIDO2/WebAuthn) that cannot be intercepted by traditional phishing or social engineering.
* **Monitor Internal Communications:** Audit corporate chat platforms (Slack, Teams) for unauthorized participants during active incident response.
* **Zero Trust Architecture:** Limit lateral movement through strict micro-segmentation to prevent "one-login-takes-all" scenarios.