Federal authorities say a 19-year-old Chicago native with ties to a notorious global hacking ring was stopped at an airport halfway around the world before he could board a flight to Japan.
Peter Stokes, a dual U.S.-Estonia citizen, was charged in a federal complaint accusing him of taking part in high-profile intrusions linked to the transnational hacking cluster known as Scattered Spider. Prosecutors and investigators say the case is part of a broader crackdown on a group blamed for disruptive cyberattacks on major retailers, airlines and gaming giants.
Stokes was arrested in Finland on April 10 while allegedly trying to board a Japan-bound flight, according to court papers and reporting. The complaint says he used the online handle “bouquet,” and that Finnish authorities seized two two-terabyte hard drives when they detained him, as reported by the Chicago Tribune.
Prosecutors allege Stokes was involved in at least four Scattered Spider intrusions. One of them, according to the complaint, was a May 2025 attack on a multibillion-dollar luxury retailer identified in filings only as "Company F," where investigators say the hackers demanded $8 million and claimed they had swiped roughly 100 gigabytes of data. The complaint also ties him to a March 2023 breach of an online-communications platform and cites a message attributed to Stokes that reads, "u have 30 mins before i kick u off btw," according to the Chicago Tribune.
What Stokes Is Accused Of
The unsealed complaint charges Stokes with wire fraud, conspiracy and computer intrusion counts connected to a six-count federal case filed in December 2025. Prosecutors say those counts reflect a pattern of social-engineering intrusions that started at enterprise help desks, then allegedly moved deeper into corporate networks to steal data or disrupt operations.
Scattered Spider's Playbook
Security researchers and government agencies have described Scattered Spider, which Microsoft tracks as "Octo Tempest," as a loose, English-speaking network that leans on carefully crafted social engineering instead of mass-exploitation tactics. Microsoft has warned that the group has at times shifted its focus toward airlines and other critical sectors, while federal advisories from agencies such as CISA describe its reliance on SMS phishing, SIM swapping and impersonating help-desk staff. Both Microsoft and CISA have published detailed guidance on defending against those threats.
Related Prosecutions And Enforcement
The case against Stokes is unfolding alongside a string of prosecutions tied to the same loose-knit collective. One alleged senior member, Tyler Robert Buchanan, recently pleaded guilty in the U.S. to text-message phishing that prosecutors say helped steal at least $8 million in virtual currency, according to KrebsOnSecurity. Investigators say the prosecutions highlight growing international cooperation aimed at disrupting a network that moves fluidly across borders and platforms.
What Happens Next
Stokes remains in the middle of an international transfer process as Finnish authorities and American prosecutors coordinate next steps. The case will proceed through federal court, where the government must prove its allegations.
For Chicago residents and local businesses, the indictment serves as a pointed reminder that many modern cyberattacks start with social engineering, not exotic code. Defenders are urged to tighten help-desk procedures, avoid relying on SMS as the sole method for multifactor authentication whenever possible and require stronger authentication for privileged accounts.
Court records and reporting also note that Stokes' public posts featured images of luxury travel and a diamond-studded "hack the planet" necklace, details prosecutors flagged while describing alleged motive and lifestyle in their filings. The investigation is ongoing, and officials have not yet announced a timetable for possible extradition.
