DOJ Charges 19-Year-Old Scattered Spider Hacker in $100 Million Crypto Extortion Case

Getting your Trinity Audio player ready...
  • DOJ charged alleged Scattered Spider member Peter Stokes following his extradition from Finland.
  • Authorities say the cybercrime group generated more than $100 million through cryptocurrency ransom schemes.
  • The prosecution is part of the FBI’s expanding Operation Riptide targeting cybercrime and digital extortion.

The U.S. Department of Justice has charged a 19-year-old alleged member of the notorious Scattered Spider cybercrime group, marking another major step in the government’s campaign against ransomware and cryptocurrency-enabled extortion.

Peter Stokes, a dual U.S.-Estonian citizen, appeared in federal court in Chicago after being extradited from Finland. Prosecutors accuse him of conspiracy, computer intrusion, and fraud linked to a series of cyberattacks that authorities say generated millions of dollars in losses for businesses.

While the allegations remain unproven until trial, the case highlights growing international cooperation against cybercriminal organizations that increasingly rely on cryptocurrency for ransom payments.

Scattered Spider Built a Massive Cyber Extortion Network

According to federal investigators, Scattered Spider—also tracked by cybersecurity firms as 0ktapus, Octo Tempest, and UNC3944—has been connected to more than 100 network breaches.

Rather than exploiting advanced software vulnerabilities, the group allegedly focuses on social engineering. Investigators say members impersonate trusted contacts or IT staff to convince employees to hand over login credentials. Once inside corporate systems, attackers allegedly steal or encrypt sensitive information before demanding cryptocurrency to restore access or prevent stolen data from being leaked.

The DOJ estimates the syndicate has collected more than $100 million in ransom payments through these operations.

Luxury Retailer Refused an $8 Million Crypto Ransom

One of the central allegations involves a cyberattack against a luxury jewelry retailer in May 2025.

Federal prosecutors claim Stokes and others stole company data before demanding approximately $8 million in cryptocurrency. The retailer ultimately refused to pay after its cybersecurity team removed the attackers from its systems.

Although no ransom was paid, the company reportedly suffered at least $2 million in damages through operational disruption, forensic investigations, and recovery efforts.

Federal officials say incidents like this demonstrate how ransomware attacks can cause severe financial harm even when victims decline extortion demands.

Operation Riptide Expands Pressure on Cybercriminals

The prosecution is part of the FBI’s broader Operation Riptide, an ongoing effort targeting cybercrime and online fraud networks.

Authorities report that Americans lost more than $20 billion to cybercrime last year, representing a sharp year-over-year increase. Since 2020, the Justice Department’s computer crime division has secured convictions against more than 180 cybercriminals while recovering over $350 million for victims.

The latest arrest also reflects increasing global coordination. Finnish authorities worked alongside the DOJ’s Office of International Affairs to extradite Stokes to the United States, underscoring the cross-border nature of modern cybercrime investigations.

The government’s enforcement efforts have recently extended across the wider cryptocurrency ecosystem, including sanctions enforcement, wallet freezes tied to illicit activity, and prosecutions involving crypto-related fraud.

Also Read: Hyperliquid and $9B DOJ Bitcoin: Crypto’s Next Big Crisis?

Stokes remains in federal custody as the criminal case moves forward in Chicago. Prosecutors must now prove the allegations in court, while investigators continue pursuing other suspected members of Scattered Spider.

Whether this extradition leads to broader arrests remains to be seen, but the case signals that law enforcement agencies are intensifying efforts against ransomware groups that use cryptocurrency to fuel global cyber extortion.

Disclaimer: The information in this article is for general purposes only and does not constitute financial advice. The author’s views are personal and may not reflect the views of Chain Affairs. Before making any investment decisions, you should always conduct your own research. Chain Affairs is not responsible for any financial losses.