US Unseals Federal Charges Against Scattered Spider’s ‘Bouquet’ — Extradition from Finland Now Pending

The United States has formally unsealed federal charges against Peter Stokes, 19, the British national arrested in Finland on April 10, 2026, and alleged to be a core member of Scattered Spider operating under the handle “Bouquet.” The six-count complaint, filed in the Northern District of Illinois, lays out at least four separate intrusions since March 2023, a ransom demand of $8 million against an unnamed luxury retailer, and the seizure of two 2TB hard drives at the time of his Helsinki arrest.

We covered his arrest in detail when Finnish police detained him last month. The unsealing of charges is a distinct development: it is the first formal articulation by US prosecutors of what they believe Stokes did, the scope of the conspiracy they intend to prove at trial, and the legal basis on which they will seek his extradition.

What the Six-Count Complaint Covers

The complaint charges Stokes with wire fraud conspiracy, substantive wire fraud, computer fraud conspiracy (in violation of 18 U.S.C. § 1030), substantive computer fraud, and related counts. The statutory framework is familiar from prior Scattered Spider prosecutions — the same charges were used against the five members indicted in the Central District of California in November 2023.

Prosecutors allege Stokes participated in at least four Scattered Spider intrusions between March 2023 and the date of his arrest. The complaint does not name all victim organizations by their public names — standard practice in ongoing investigations — but describes a luxury retailer as one target, against whom the group demanded $8 million in ransom. A demand of that scale implies a significant operational intrusion: Scattered Spider’s model typically involves social engineering the help desk to bypass MFA, lateral movement to the backup and virtualization infrastructure, and data exfiltration before detonating ransomware. At $8 million, this was not a commodity attack.

The two 2TB hard drives seized when Finnish police arrested Stokes in Helsinki are almost certainly central to the government’s case. Drive imaging in international cases becomes part of the extradition evidence package; anything recovered — communications, malware tooling, cryptocurrency wallet files, victim network credentials — will form the evidentiary core of the Chicago prosecution.

How Finland-to-US Extradition Works

The United States and Finland operate under a bilateral extradition treaty. The process, once US charges are unsealed and a formal extradition request is submitted through diplomatic channels, typically runs as follows:

US prosecutors submit a formal extradition request to the Department of Justice’s Office of International Affairs, which routes it through the State Department to the Finnish Ministry of Justice. The request includes the unsealed complaint, a summary of evidence, and certification that the charged conduct is a crime under both US and Finnish law (the dual criminality requirement).

Finnish courts review the request. Finland’s extradition process is judicial, not purely executive — a Finnish court must find that the dual criminality and evidentiary threshold requirements are met before authorizing surrender. Stokes, as a British national arrested on Finnish soil, may also contest the request on human rights or procedural grounds, which can extend timelines.

Appeals are possible. If the Finnish court authorizes extradition, Stokes can appeal to the Finnish Court of Appeal and, ultimately, the Supreme Court. His legal team is likely already working on this. The average contested extradition from Finland to the US has historically taken between six months and two years from arrest to physical surrender.

The Northern District of Illinois — Chicago — is handling the prosecution. That jurisdiction is notable: it suggests at least one of the four alleged intrusions had a nexus to the Chicago area, or that a corporate victim’s principal place of business falls within that district.

Where Stokes Fits in the Scattered Spider Prosecution Timeline

The US government’s case against Scattered Spider has been building methodically since the group’s high-profile attacks on MGM Resorts International and Caesars Entertainment in September 2023 — operations that together cost MGM over $100 million in recovery costs and led Caesars to pay an estimated $15 million ransom.

The November 2023 indictment named five members: Noah Michael Urban (19, Florida), Joel Martin Evans (25, North Carolina), Tyler Robert Buchanan (22, UK), Ahmed Hossam Eldin Elbadawy (23, Texas), and Evans Onyeaka Osiebo (20, Texas). Of those, Buchanan — arrested in Spain — remains the highest-profile extradition case still in progress.

Stokes is a more recent addition to the charged roster. His April 2026 arrest in Finland and the now-unsealed Chicago complaint mark him as the latest publicly identified member to face US prosecution. Notably, he was 19 at arrest — meaning his alleged participation in intrusions dating to March 2023 began when he was approximately 16 or 17 years old.

This is consistent with what law enforcement and researchers have said about Scattered Spider’s membership demographics: the group recruited heavily from teenage communities on Telegram, Discord, and hacking forums, and several members are alleged to have been minors at the time of their first intrusions.

What the Luxury Retailer Attack Reveals

The $8 million ransom demand against a luxury retailer is the most operationally revealing detail in the publicly available complaint summary. Scattered Spider’s intrusion methodology — particularly as documented in the MGM and Caesars attacks — relies heavily on vishing (voice phishing) of IT help desks, impersonating employees to trigger MFA resets and account access. Once inside, the group moves to VMware ESXi infrastructure, domain controllers, and backup systems before threatening to both encrypt and exfiltrate data.

An $8 million demand against a luxury retailer suggests a victim organization with significant revenue and a reputation to protect — exactly the profile Scattered Spider has historically targeted. High-end brands are particularly vulnerable to data extortion because their customer lists (names, addresses, purchase histories, payment records) are exactly the kind of information their clientele would find mortifying to see published.

Whether the luxury retailer paid is not disclosed in the complaint summary. Given that the group’s broader campaign history shows mixed results — MGM refused to pay, Caesars paid — the outcome here remains unknown publicly.

The Extradition Parallel: Buchanan and Stokes

Tyler Robert Buchanan, the UK national arrested in Spain in June 2024 on a US extradition warrant related to Scattered Spider, remains the most comparable extradition case in progress. Spain’s extradition process has proceeded slowly, with Buchanan contesting the proceedings. His case has become a reference point for how long Scattered Spider prosecutions can be delayed through extradition litigation.

Stokes’s legal team will be watching Buchanan’s proceedings closely. The arguments available in Finland may differ from those in Spain — Finland’s EU membership and strong rule-of-law reputation may mean less political friction on the extradition request itself, but Finnish courts are thorough, and any substantive legal challenge to the dual criminality standard or evidentiary sufficiency will get a real hearing.

What This Means for the Broader Case

Each new arrest and unsealed complaint does two things for the US government’s prosecution strategy. First, it creates additional cooperating witness opportunities — defendants facing multi-year federal sentences have historically been willing to provide testimony about co-conspirators in exchange for sentencing concessions. Second, it maps the group’s organizational structure more precisely, which helps prosecutors build the conspiracy charges that define Scattered Spider’s collective liability rather than just individual intrusions.

The group’s alleged membership is international — US nationals, a British national in Spain, now a British national in Finland. That geographic spread creates both complications (multiple extradition processes running simultaneously) and opportunities (each jurisdiction’s arrest produces its own device seizures and digital evidence).

The timeline from Buchanan’s June 2024 arrest to a potential US trial suggests Stokes, if extradited, is unlikely to face trial before 2027 or 2028. In the interim, the hard drives seized in Helsinki will be thoroughly analyzed.

Sources

• CyberPress: “U.S. Charges Suspected Scattered Spider Member for Infiltrating Sensitive Computer Systems”
• Hoodline: “Chicago Teen Busted in Finland in Alleged Scattered Spider Hack Spree”
• DOJ, November 2023 Scattered Spider indictment (Central District of California)
• Breached.Company: “Scattered Spider’s ‘Bouquet’ Arrested in Finland”

Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.