A 19-year-old accused of belonging to the Scattered Spider cybercrime group has been extradited to the United States after Finnish authorities arrested him at Helsinki Airport.
Peter Stokes, a dual US-Estonian citizen, was allegedly trying to board a flight to Japan when authorities detained him in April under an Interpol Red Notice.
He was extradited to the US in late June and appeared before a federal court in Chicago on June 30. The court ordered him to remain in custody while he awaits trial on charges of conspiracy, computer intrusion, and fraud.
Microsoft reportedly played an important role in the investigation by providing Global Device Identifier data to the FBI.
A Global Device Identifier, or GDID, is a unique code connected to a Windows installation. Investigators reportedly used the identifier to connect Stokes’ physical computer hardware with specific online activity and locations.
The information provided to investigators included timestamps connected to his web activity, IP addresses, video game history, Azure account status, and the use of tools such as Ngrok.
This data allowed investigators to link activity from the Windows device to the alleged cyberattacks.
The US Department of Justice alleges that Stokes was a member of Scattered Spider, a cybercrime group also tracked as Octo Tempest, UNC3944 and 0ktapus.
According to the department, the group carried out more than 100 network intrusions that resulted in over $100 million in ransom payments and millions of dollars in additional losses.
Scattered Spider commonly targets company employees and IT help desks through social engineering. Its members allegedly impersonate workers to gain access to corporate accounts before stealing or encrypting data and demanding cryptocurrency payments.
The main complaint against Stokes includes an alleged attack on a US luxury jewelry retailer in May 2025.
The attackers allegedly used Google Voice to contact the company’s IT help desk while posing as employees. They persuaded help-desk workers to reset account credentials and gained access to three accounts, including two with administrator privileges.
The group then allegedly stole company data and demanded approximately $8 million in cryptocurrency.
The retailer’s security team removed the attackers from its network and avoided paying the ransom. However, the company suffered at least $2 million in losses from operational disruption, investigation, and recovery work.
Finnish authorities reportedly found two 2TB hard drives when they arrested Stokes at Helsinki Airport.
Court records allege that the drives contained evidence connected to the investigation.
Investigators had reportedly known Stokes’ real identity since 2024. However, he was still a minor at the time and had been living between Estonia and the United Arab Emirates.
The criminal complaint also includes a Snapchat selfie in which Stokes allegedly hid his face behind several $100 bills.
Investigators compared the wallpaper, carpet and furniture visible in the picture with the interior of the Empire Hotel in New York. They also found that Stokes had visited the hotel’s website while in Germany before travelling to New York.
Prosecutors used these details alongside his internet records, travel activity and device information to build their case.
The FBI’s Chicago Field Office investigated the case with assistance from its Copenhagen office and Finland’s National Bureau of Investigation.
Stokes remains in US custody and is awaiting trial. The charges against him remain allegations, and he is presumed innocent unless proven guilty in court.
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.