The tools named in the criminal complaint unsealed this week against Peter Stokes are not the gear most readers picture behind a $100 million extortion wave. Federal prosecutors allege the 19-year-old used ngrok, a free tunneling service that lets traffic look like ordinary web traffic; Google Voice, a free phone number system; and what investigators describe as identity-driven social engineering, where help-desk calls are made to sound routine. That combination, repeated across a hacking collective that calls itself Scattered Spider, is the operational anatomy behind the group's run of intrusions, including a reported $8 million cryptocurrency ransom demand against a luxury jewellery retailer and a £39 million attack on Transport for London in 2024.
Stokes, a dual US-Estonian national, was arrested in Finland in April 2026 on an Interpol Red Notice, an international request to locate and detain a fugitive pending extradition, and extradited to the United States this week, appearing in federal court in Chicago, in the Northern District of Illinois (N.D. Ill.), on a six-count complaint that charges him with computer intrusion, conspiracy, wire fraud, and fraud. A judge ordered him detained after the Tuesday appearance. According to trade-press summaries of the complaint, Stokes operated online under the alias "Bouquet." The complaint ties him to Scattered Spider, a hacking collective that the US Department of Justice (DoJ) says is responsible for more than $100 million in ransom payments across its victims. The arrest lands inside a broader multi-agency US case framework known as Operation Riptide.
The jewellery-retailer case is the most concrete window into how the group, according to the complaint, actually works. According to Recorded Future News and BleepingComputer, both citing the federal complaint, the intruders demanded roughly $8 million in cryptocurrency from a luxury retailer. The company detected the intrusion, evicted the attackers, and did not pay the ransom, but still absorbed a reported loss near $2 million. The attackers used ngrok tunnels to stage their access, abused Google Voice numbers for callback verification, a one-time code sent to a phone to confirm a login attempt, and leaned on social-engineering scripts to convince help-desk staff to reset credentials or bypass multi-factor prompts, extra login checks beyond a password such as a phone code or hardware key. The same pattern recurs across the case file: a phone call that sounds like an employee, a number that traces back to a free VoIP service, meaning voice-over-internet calling where a software app acts as a phone line, and an internal system that opens the door.
That playbook explains both the group's reach and its resilience. Scattered Spider does not depend on a small set of elite operators holding custom exploits; it depends on a method. A phone, a tunnel, a borrowed identity, and a help-desk willing to reset a password. Anyone who can run the script can be a node. Removing one node, even a well-connected one, leaves the method intact. Federal prosecutors have now linked two prior guilty pleas to the £39 million 2024 cyber-attack on Transport for London, which the UK's National Crime Agency attributes to Scattered Spider, suggesting the collective's reach extends well beyond the US retail sector. The Operation Riptide framework, with its $20 billion broader cybercrime loss figure cited by the Washington Times, is the legal wrapper for that pressure campaign.
The Finland case adds a second-order detail: Scattered Spider's operators and affiliates appear comfortable moving across jurisdictions, from the Baltic states to the Nordics, with arrests and extraditions as the friction point rather than the destination. US authorities used an Interpol Red Notice to bring Stokes to the Northern District of Illinois. The UK National Crime Agency, working with the US side, has tied prior guilty pleas in the Transport for London matter to the same collective. The pattern suggests Scattered Spider's geography is not a defense: where the targets are, the indictments follow. But the complaint is an indictment, not a conviction. All charges are alleged, and Stokes is presumed innocent unless and until proven otherwise.
What to watch is whether the next indictment names anyone further up the chain. The complaint unsealed against Stokes describes him as an alleged member of Scattered Spider; the federal case file does not name him as a leader, and it does not point to a single mastermind. If a subsequent complaint goes higher, the resilience thesis still holds, and the toolkit question, social engineering rather than exploits, remains the real story. If no further charges follow in this extradition cycle, then the FBI complaint's own description of the group, scattered, alias-driven, and tooling-light, becomes the part that ages best. Either way, the operational anatomy is now on the public record, and it does not require a single mastermind to keep running.