INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Alleged Scattered Spider hacker extradited to US
| 2026-07-02 08:58 CRITICAL MEDIUMExecutive Summary AI-generated
The Scattered Spider hacking collective, a loosely knit group of teenagers and young adults from the United States and Great Britain, has been linked to numerous high-profile breaches, extorting millions of dollars in ransom payments, and disrupting essential operations. With over 100 network intrusions under their belt, they have consistently targeted U.S. companies, causing widespread damage and disruption. Their tactics include social engineering, MFA bombing, SMS credential phishing attacks, and exploiting vulnerabilities to steal sensitive documents and credentials. The group's list of victims includes luxury item retailers, high-profile organizations such as Caesars, MGM Resorts, and Reddit, with some breaches dating back to 2022. Peter Stokes, a dual U.S.-Estonian citizen, has been extradited to the United States to face charges related to his involvement in these hacking collective operations.
Technical Mitigations AI-generated
* Implement multi-factor authentication (MFA) for all users, especially those who access sensitive data or systems. This can include using authenticator apps like Google Authenticator or Authy, and enabling two-factor authentication whenever possible.
* Use a reputable antivirus software that includes real-time protection and has been tested by independent labs such as AV-Test.org or VirusTotal.com.
* Regularly update operating system (OS) and application versions to ensure you have the latest security patches. This can be done through automatic updates, manual checks for known vulnerabilities, and keeping your OS up-to-date with the latest security fixes.
* Use a secure web browser like Tor Browser or Firefox Secure, which has built-in protection against phishing attacks and malware.
* Be cautious when clicking on links or downloading attachments from unknown sources. Scammers often use social engineering tactics to trick users into installing malware or revealing sensitive information.
Note: These are general recommendations and not specific technical mitigations for the alleged Scattered Spider hacking collective.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Scattered SpiderScattered Spider
RoverRover
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
retailretail
Incident Timeline
March 2023
Threat actors used Scattered Spider to target an online communication platform when Stokes was 16 years old.
Click on any entity below to view its context and source!
threat_actor
Scattered Spider
According to
court documents
, Stokes was involved in at least four Scattered Spider breaches (including a March 2023 hack of an online communication platform, when he was 16 years old) that led to victim companies being asked to pay millions of dollars in ransoms.
May 2025
Scattered Spider hackers used a blend of social engineering, targeted multi-factor authentication (MFA) bombing and SMS credential phishing attacks to steal user credentials.
Click on any entity below to view its context and source!
threat_actor
Scattered Spider
Scattered Spider (also tracked as
0ktapus
,
Octo Tempest
,
Scatter Swine
,
UNC3944
, and
Muddled Libra
) emerged in 2022 as a loosely knit hacking collective mainly composed of teenagers and young adults from the United States and Great Britain.
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
Peter Stokes (U.S. Department of Justice)
"The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100 million in ransom payments and millions more in damages to the victims,"
said Assistant Attorney General A. Tysen Duva
on Wednesday.
"Scattered Spider has repeatedly targeted U.S. companies, extorting employees, inflicting millions of dollars in losses, and disrupting essential operations," added Assistant Director Brett Leatherman of the FBI's Cyber Division.
organisation
Caesars
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
MGM Resorts
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
DoorDash
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
MailChimp
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
Allianz Life
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
Transport for London
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
Marks & Spencer
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
Jaguar Land
Scattered Spider's list of victims includes many high-profile organizations, including
Caesars
,
MGM Resorts
,
Riot Games
,
DoorDash
,
Reddit
,
MailChimp
,
Twilio
,
Allianz Life
,
Transport for London (TfL)
, multiple UK retailers such as
Co-op
,
Marks & Spencer (M&S
), and
Harrods
, and, more recently,
WestJet
and
Jaguar Land Rover (JLR)
.
organisation
U.S. Department of Justice
Peter Stokes (U.S. Department of Justice)
"The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100 million in ransom payments and millions more in damages to the victims,"
said Assistant Attorney General A. Tysen Duva
on Wednesday.
infrastructure
Android
According to prosecutors, they commonly use the Genymobile Android emulator
during their MFA attacks
and have also deployed DragonForce encryptor in ransomware attacks
against UK retail companies
.
organisation
Genymobile Android
According to prosecutors, they commonly use the Genymobile Android emulator
during their MFA attacks
and have also deployed DragonForce encryptor in ransomware attacks
against UK retail companies
.
organisation
DragonForce
According to prosecutors, they commonly use the Genymobile Android emulator
during their MFA attacks
and have also deployed DragonForce encryptor in ransomware attacks
against UK retail companies
.
organisation
MFA
They are known
for using a blend of social engineering, targeted multi-factor authentication (MFA) bombing (aka MFA fatigue), and SMS credential phishing attacks to steal user credentials and sensitive documents for extortion leverage after breaching their targets' networks.
organisation
SMS
They are known
for using a blend of social engineering, targeted multi-factor authentication (MFA) bombing (aka MFA fatigue), and SMS credential phishing attacks to steal user credentials and sensitive documents for extortion leverage after breaching their targets' networks.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
financial
$8 ransom
While the threat actors demanded an $8 million ransom, claiming to have 100 gigabytes of stolen data, the company refused to pay.
data_breach
100 gigabytes
While the threat actors demanded an $8 million ransom, claiming to have 100 gigabytes of stolen data, the company refused to pay.
financial
$2 Entities
However, it still incurred over $2 million due to operations disruption and remediation costs.
2025/07/02
Threat actors used Lapsus$ to hack into the email accounts of Scattered Lapsus$ Hunters.
Click on any entity below to view its context and source!
organisation
Lapsus$
Last year, some members seemed to join forces with others from Lapsus$ and ShinyHunters to form
Scattered Lapsus$ Hunters.
organisation
ShinyHunters
Last year, some members seemed to join forces with others from Lapsus$ and ShinyHunters to form
Scattered Lapsus$ Hunters.
organisation
Scattered Lapsus$ Hunters
Last year, some members seemed to join forces with others from Lapsus$ and ShinyHunters to form
Scattered Lapsus$ Hunters.
September 2025
Thalha Jubair, a 20-year-old hacker from East London, is wanted in the United States.
Click on any entity below to view its context and source!
target_region
United States
One of the duo, Thalha Jubair, 20, from East London, is wanted in the US, according to
charges unsealed in September 2025.
April 10
Peter Stokes was arrested in Finland on April 10 while attempting to board a flight to Japan.
Click on any entity below to view its context and source!
source_region
Jordan
19-year-old Peter Stokes (who used the online handles "Bouquet," "Spencer," and "Jordan") was arrested in Finland on April 10 while attempting to board a flight to Japan at Helsinki's airport and is accused of having helped extort millions of dollars from multiple high-profile companies worldwide.
source_region
Finland
19-year-old Peter Stokes (who used the online handles "Bouquet," "Spencer," and "Jordan") was arrested in Finland on April 10 while attempting to board a flight to Japan at Helsinki's airport and is accused of having helped extort millions of dollars from multiple high-profile companies worldwide.
source_region
Japan
19-year-old Peter Stokes (who used the online handles "Bouquet," "Spencer," and "Jordan") was arrested in Finland on April 10 while attempting to board a flight to Japan at Helsinki's airport and is accused of having helped extort millions of dollars from multiple high-profile companies worldwide.
2026/06/25
The alleged Scattered Spider hacker was extradited to the United States and charged with conspiracy, computer intrusion, and fraud.
Click on any entity below to view its context and source!
target_region
United States
The teen was extradited to the US last week and has been charged with conspiracy, computer intrusion, and fraud, according to the DoJ.
“The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100m in ransom payments and millions more in damages to the victims,” said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.
threat_actor
Scattered Spider
The teen was extradited to the US last week and has been charged with conspiracy, computer intrusion, and fraud, according to the DoJ.
“The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100m in ransom payments and millions more in damages to the victims,” said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.
general_metric
100 network intrusions
The teen was extradited to the US last week and has been charged with conspiracy, computer intrusion, and fraud, according to the DoJ.
“The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100m in ransom payments and millions more in damages to the victims,” said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.
organisation
the Justice Department’s Criminal Division
The teen was extradited to the US last week and has been charged with conspiracy, computer intrusion, and fraud, according to the DoJ.
“The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100m in ransom payments and millions more in damages to the victims,” said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.
financial
$100 Stolen / Extorted Funds
The teen was extradited to the US last week and has been charged with conspiracy, computer intrusion, and fraud, according to the DoJ.
“The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100m in ransom payments and millions more in damages to the victims,” said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.
organisation
Transport for London
His arrest follows the
conviction of two youngsters
last week for hacking Transport for London (TfL) in an attack which cost the transport authority an estimated £29m ($38m) in losses and recovery costs.
financial
£29 £ estimated
His arrest follows the
conviction of two youngsters
last week for hacking Transport for London (TfL) in an attack which cost the transport authority an estimated £29m ($38m) in losses and recovery costs.
June 30
Peter Stokes was arrested in Finland.
Click on any entity below to view its context and source!
source_region
Finland
Peter Stokes, 19, is a dual US and Estonian citizen but was arrested in Finland in April, according to a criminal complaint
unsealed on June 30
.
source_region
United States
Peter Stokes, 19, is a dual US and Estonian citizen but was arrested in Finland in April, according to a criminal complaint
unsealed on June 30
.
source_region
Estonia
Peter Stokes, 19, is a dual US and Estonian citizen but was arrested in Finland in April, according to a criminal complaint
unsealed on June 30
.
2026/07/02
The alleged Scattered Spider hacker was extradited to the United States by the FBI.
Click on any entity below to view its context and source!
target_region
United States
“The charges unsealed today are the result of years of work by the Criminal Division, the US Attorney’s Office for the Northern District of Illinois, and the FBI.
attribution
FBI
“The charges unsealed today are the result of years of work by the Criminal Division, the US Attorney’s Office for the Northern District of Illinois, and the FBI.
attribution
the Criminal Division
“The charges unsealed today are the result of years of work by the Criminal Division, the US Attorney’s Office for the Northern District of Illinois, and the FBI.
2026/07/02
Noah Michael Urban, a 20-year-old alleged Scattered Spider member, has been extradited to the United States.
Click on any entity below to view its context and source!
threat_actor
Scattered Spider
Alleged Scattered Spider hacker extradited to the United States.
A dual United States and Estonian citizen has been extradited to the U.S. to face charges alleging he was a member of the Scattered Spider hacking collective.
Alleged Scattered Spider Member Extradited to US.
The US Justice Department has announced the arrest and extradition of a teenager accused of various hacking-related offenses as part of the infamous Scattered Spider group.
Is the Net Closing on Scattered Spider?
Although the charges at this time are not proven, Stokes would fit the alleged profile of Scattered Spider members, who tend to be young men.
According to reports, Noah Michael Urban, 20, was a core member of Scattered Spider.
financial
$115 victims
They allege he participated in at least 120 computer network intrusions and extortion involving 47 US entities, with victims paying $115m or more in ransom payments to Jubair and his associates.
organisation
The US Justice Department
The US Justice Department has announced the arrest and extradition of a teenager accused of various hacking-related offenses as part of the infamous Scattered Spider group.
organisation
the Net Closing on
Is the Net Closing on Scattered Spider?
organisation
the
Jaguar Land
However, it was recently claimed that the group’s claims it was responsible for the
Jaguar Land Rover (JLR) breach were false.
organisation
DoJ
Stokes is accused of conspiring with other members of the group to breach the network of a luxury jewelry retailer, steal data and attempt to extort the firm for $8m. According to the DoJ, the company didn’t pay, but it still suffered losses of $2m+ due to business disruption, incident response and other associated costs.
financial
$8 $ m.
Stokes is accused of conspiring with other members of the group to breach the network of a luxury jewelry retailer, steal data and attempt to extort the firm for $8m. According to the DoJ, the company didn’t pay, but it still suffered losses of $2m+ due to business disruption, incident response and other associated costs.
Tactical Metrics
Metrics
infrastructure
Android
Affected Product
Click for context!
According to prosecutors, they commonly use the Genymobile Android emulator
during their MFA attacks
and have also deployed DragonForce encryptor in ransomware attacks
against UK retail companies
.
Metrics
financial
8,000,000
Ransom
While the threat actors demanded an $8 million ransom, claiming to have 100 gigabytes of stolen data, the company refused to pay.
Metrics
data_breach
100
Gigabytes
While the threat actors demanded an $8 million ransom, claiming to have 100 gigabytes of stolen data, the company refused to pay.
Metrics
financial
2,000,000
Financial Impact
However, it still incurred over $2 million due to operations disruption and remediation costs.
Metrics
financial
100,000,000
Stolen / Extorted Funds
The teen was extradited to the US last week and has been charged with conspiracy, computer intrusion, and fraud, according to the DoJ.
“The criminal complaint charges Peter Stokes with membership in Scattered Spider, a hacking group that has been involved in over 100 network intrusions, resulting in more than $100m in ransom payments and millions more in damages to the victims,” said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.
Metrics
financial
115,000,000
Victims
They allege he participated in at least 120 computer network intrusions and extortion involving 47 US entities, with victims paying $115m or more in ransom payments to Jubair and his associates.
Metrics
financial
29,000,000
£ Estimated
His arrest follows the
conviction of two youngsters
last week for hacking Transport for London (TfL) in an attack which cost the transport authority an estimated £29m ($38m) in losses and recovery costs.
Metrics
financial
8
$ M.
Stokes is accused of conspiring with other members of the group to breach the network of a luxury jewelry retailer, steal data and attempt to extort the firm for $8m. According to the DoJ, the company didn’t pay, but it still suffered losses of $2m+ due to business disruption, incident response and other associated costs.
Intelligence Sources
BleepingComputer
2026-07-02
Alleged Scattered Spider hacker extradited to the United States
BleepingComputer
Infosecurity-Magazine
2026-07-02
Alleged Scattered Spider Member Extradited to US
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-02T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
22x
organisation
Identified Entity
Genymobile Android
entity
13x
timeline
Temporal Reference
19-year-old
date
5x
source region
Origin Country
Jordan
country
4x
tactic
Cyber Operation Type
Ransomware
tactic
3x
target region
Target Country
United States
country
3x
attribution
Attributing Entity
FBI
authority
2x
general metric
Network Intrusions
100
network intrusions
2x
general metric
%
54
%
Contextual Telemetry
Context Block
12 METRICS
threat actor
APT Group
Scattered Spider
actor
industry
Targeted Sector
Retail
sector
infrastructure
Affected Product
Android
software
malware
Malware Payload
Rover
tool
financial
Ransom
8,000,000
ransom
data breach
Gigabytes
100
gigabytes
financial
Financial Impact
2,000,000
entities
financial
Stolen / Extorted Funds
100,000,000
$
general metric
Us Entities
47
us entities
financial
Victims
115,000,000
victims
financial
£ Estimated
29,000,000
£ estimated
financial
$ M.
8
$ m.
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.