Bouquet Unmasked: Chicago Teen Peter Stokes Charged as Scattered Spider Member After Finland Airport Arrest

Federal prosecutors in Chicago unsealed charges today against Peter Stokes, a 19-year-old dual US-Estonian citizen who allegedly operated inside the Scattered Spider cybercrime collective under the handle β€œBouquet.” The six-count complaint β€” originally filed under seal in December 2025 β€” charges Stokes with wire fraud, conspiracy, and computer intrusion counts tied to at least four corporate breaches, the first of which prosecutors say he participated in at the age of 16.

Stokes was arrested on April 10, 2026, at Helsinki-Vantaa airport by Finnish law enforcement as he allegedly attempted to board a flight to Japan. Two 2-terabyte hard drives were seized at the time of arrest. He remains in Finnish custody while US and Finnish authorities work through the extradition process; the case is expected to be transferred to the US District Court for the Northern District of Illinois in Chicago.

Who Is Peter Stokes

Nineteen years old, based in the Chicago area, holding dual citizenship in the United States and Estonia β€” Peter Stokes is the kind of defendant whose biography does not fit the archetype people carry in their heads when they imagine cybercriminals capable of extorting nine-figure corporations out of millions of dollars.

That mismatch is the point. Scattered Spider has always been a collective built around young people β€” teenagers and early-twentysomethings, many of them from English-speaking Western countries, recruited through gaming communities and online forums, and trained in a highly effective form of social engineering that requires no technical sophistication beyond a willingness to make phone calls and lie convincingly.

According to prosecutors, Stokes joined that world at 16. His first alleged breach β€” a March 2023 hack of an online communication platform that forced the victim company to pay millions in ransom β€” happened when he was still a minor by US federal standards. The complaint was filed in December 2025 and sat sealed for four months before Stokes was located in Finland.

The Alleged Crimes

The most significant attack alleged in the complaint is a May 2025 intrusion against an unnamed multibillion-dollar β€œluxury item retailer.” The playbook used was textbook Scattered Spider: members of the group called the target company’s IT helpdesk, posed as employees whose authentication had lapsed, and talked their way into credential resets. Once they had valid employee credentials, they escalated to administrator accounts.

From that position, they claimed to have exfiltrated 100 gigabytes of data. They followed with a ransom demand of $8 million.

The specific retailer has not been publicly identified in the complaint. The dollar figure of the demand and the scale of the data claimed suggest a major brand-name target, and the attack methodology β€” social engineering the helpdesk to reset MFA, then moving laterally to admin β€” is the same pattern Scattered Spider has used against every major victim since at least 2022.

Prosecutors say Stokes was involved in at least three additional breaches, with the March 2023 communication platform hack being the earliest. The full scope of his alleged participation across those incidents has not been detailed in publicly available portions of the complaint.

Why Finland, Why Japan

The geography of Stokes’s arrest tells its own story. He was stopped at Helsinki airport while allegedly trying to board a Japan-bound flight β€” which suggests he was aware, or at least suspected, that US authorities were moving on him. The December 2025 complaint had been filed under seal four months earlier. Whether Stokes had been tipped off or was simply being cautious, his chosen route β€” through Finland to Japan β€” reflects a calculation that Western Europe and East Asia offer more friction against US extradition than staying in the United States or moving through a straightforward ally.

That calculation was wrong. Finland, as a member of the European Union, maintains extradition arrangements with the United States that make it a functional extension of the US extradition perimeter. The Mutual Legal Assistance Treaty framework between the EU and the US, combined with INTERPOL coordination mechanisms, means a wanted US citizen attempting to transit through a Schengen country is not in a safe harbor β€” they are in a jurisdiction that will hand them over.

The two 2-terabyte drives seized at arrest are potentially significant. External drives of that size, carried through an international airport, either contain evidence of ongoing operations or represent an effort to keep data out of reach of a device seizure at a fixed location. Forensic analysis will likely be a significant part of the prosecution’s evidence base.

The Scattered Spider Takedown, By the Numbers

Peter Stokes is not the first Scattered Spider member to face US federal charges. He is the latest in a systematic effort by the FBI and DOJ to work through the collective’s known membership that has been running in earnest since late 2023 and accelerated significantly in 2025–2026.

The arc of Scattered Spider prosecutions now includes:

  • Five members charged in November 2024 for a series of breaches in which they collectively stole $11 million.
  • Noah Michael Urban (aliases β€œSosa” and β€œElijah”) β€” pleaded guilty to wire fraud and related charges.
  • Tyler Buchanan (alias β€œTylerB”), a UK national, pleaded guilty to his role in the group’s attacks. We covered Buchanan’s guilty plea here.
  • A British member who stole $8 million in cryptocurrency pleaded guilty in April 2026.
  • Peter Stokes (alias β€œBouquet”) β€” charges unsealed today, April 28, 2026.

The acceleration of this prosecution timeline β€” multiple members charged, arrested, or pleading guilty within the same calendar year β€” reflects both the intensity of FBI investigative attention and the practical reality that a loose-knit, English-speaking collective leaves a much larger digital trail than a disciplined nation-state operation. These defendants communicated on Discord, used handles that carried social reputation within gaming communities, and in some cases bragged about their access in channels that federal investigators were monitoring.

The Helpdesk Vulnerability That Won’t Go Away

Every Scattered Spider case eventually comes back to the same root cause: IT helpdesks that can be manipulated into resetting credentials over the phone.

The May 2025 luxury retailer attack alleged against Stokes used the exact same social engineering vector that Scattered Spider used against MGM Resorts in 2023 β€” a breach that cost MGM more than $100 million in operational disruption, ransom payments, and recovery costs. The Caesars breach that preceded it used the same technique. Dozens of other victims across hospitality, telecommunications, and retail have been hit the same way.

The vector is not novel. CISA, the FBI, and multiple industry ISACs have published guidance on securing IT helpdesks against identity impersonation since 2023. The mitigations are not technically complex: require in-person identity verification for high-privilege account resets, impose callback verification to known-good numbers, flag requests originating from unknown devices, and log all helpdesk interactions for post-incident review.

The fact that this vector continues to work β€” that a group of teenagers can call a major corporation’s IT helpdesk, claim to be an employee, and obtain credentials that give them administrator access β€” is not a Scattered Spider problem. It is an enterprise identity verification problem that Scattered Spider is exploiting, and that will continue to be exploited by whoever comes next.

The Recruitment Pipeline Problem

Peter Stokes was 16 when he allegedly committed his first breach. That age needs to be the center of any serious policy conversation about Scattered Spider, because it is not an anomaly.

Scattered Spider has no formal membership, no headquarters, no organizational hierarchy in the traditional sense. It is a social network with a skill set, and that social network runs through gaming communities, Discord servers, and online forums where participants gain status through demonstrated capability. For a 15- or 16-year-old with technical curiosity and limited income, the path from gaming forum to Scattered Spider-adjacent activity is not a dramatic radicalization journey. It is a series of small steps: joining the right Discord, impressing the right people, getting invited to the right channel, and discovering that the social engineering skills that work on online games also work on corporate IT departments.

The FBI and DOJ can work through the known membership of Scattered Spider. They are demonstrably doing so. What they cannot prosecute is the next cohort of 16-year-olds who are currently at the first step of that path. The Stokes prosecution, like the Buchanan prosecution before it, is enforcement against a fully formed criminal career β€” not intervention at the point where intervention would actually matter.

That gap between where the criminal justice system reaches and where the pipeline actually starts is the structural problem that no amount of extradition proceedings in Helsinki will solve.

Current Status

Peter Stokes remains in Finnish custody as of April 28, 2026. Extradition proceedings are underway. No arraignment date in the US has been publicly set. Zhang Yu β€” the unnamed co-conspirator in the Xu Zewei/Silk Typhoon case β€” remains at large; the Stokes case involves a separate set of alleged conspirators whose identities have not been publicly disclosed.

The Northern District of Illinois case will be the sixth known federal prosecution of a Scattered Spider-affiliated defendant in the past two years. It will not be the last.

Breached.Company tracks cybercrime arrests, breach disclosures, and signals intelligence across major threat actor groups. For Scattered Spider-specific monitoring and enterprise social engineering defense resources, see CISO Marketplace.