devtake.dev

A Scattered Spider suspect was extradited to the U.S. as three members pleaded guilty

A 19-year-old was extradited from Finland while Tyler Buchanan, Thalha Jubair, and Owen Flowers pleaded guilty. Scattered Spider's legal reckoning has arrived.

Luca Reinhardt · · 4 min read · 4 sources
A stone courthouse with a clock tower against a blue sky, standing in for the U.S. and U.K. courts now prosecuting Scattered Spider members.
Renegomezphotography / CC BY-SA 4.0 via Wikimedia Commons · Source

Peter Stokes stepped off a flight from Finland and into a Chicago federal courtroom last week. He’s the newest alleged member of Scattered Spider to face U.S. charges, and he arrives in a year when the crew that humbled Las Vegas casinos is finally losing its anonymity.

What we know

The cases have piled up fast, and they span two countries. Prosecutors in the U.S. and the U.K. have now secured guilty pleas or custody from four alleged members of the group in 2026, tied to breaches that hit casinos, a transit authority, and a jewelry chain. For a crew that ran on being untouchable, mostly teenagers and twenty-somethings hiding behind aliases and each other, that’s a real shift. Extortion works partly because the people running it stay ghosts. Naming them and walking them into a courtroom chips away at the model that made the group so hard to deter. Here’s what the filings and court reporting confirm:

  • Stokes, 19, a dual U.S.-Estonian citizen who used the handle “Bouquet,” was arrested in Finland in April on an Interpol Red Notice and extradited to Chicago, the Justice Department said. He’s charged in the Northern District of Illinois with conspiracy, computer intrusion, and fraud, and a judge ordered him held.
  • The complaint alleges Stokes and co-conspirators breached a luxury jewelry retailer in May 2025, stole its data, and demanded roughly $8 million in cryptocurrency, causing more than $2 million in losses.
  • Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty in April in the Central District of California to conspiracy to commit wire fraud and aggravated identity theft, admitting a SIM swapping and phishing spree that stole at least $8 million in crypto. He’s set for sentencing on August 21.
  • In London, Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty on the first day of their trial on June 23 to attacks that crippled Transport for London in 2024. Flowers is the member who gave anonymous press interviews after the 2023 casino hits, according to Krebs.

Andrew Boutros, the U.S. attorney for the Northern District of Illinois, was blunt about the intent. “The malicious attacks from Scattered Spider caused widespread disruption to businesses and organizations throughout the United States,” he said in the statement announcing the extradition. The department ties the wider group to about 120 network intrusions against 47 U.S. entities and at least $115 million in ransom payments since 2022.

Who Scattered Spider are

Scattered Spider isn’t a tidy org chart. Security firms track it as UNC3944 and Octo Tempest, but the people behind it are mostly young, English-speaking, and loosely connected through an online community called The Com. Their signature isn’t a clever exploit. It’s a phone call.

The crew’s go-to move is social engineering: calling a company help desk, impersonating an employee, and talking support staff into resetting a password or enrolling a new device. From there they lean on SIM swapping to hijack a target’s phone number and intercept login codes, and on MFA fatigue, spamming a victim with push prompts until someone taps approve. Once inside, they steal data and deploy ransomware, and they’ve worked alongside the ALPHV/BlackCat operation to do it. That playbook is what took down MGM Resorts and Caesars Entertainment in September 2023, freezing slot machines and hotel systems across Las Vegas.

What’s still unclear

Plenty is still open. Stokes has been charged, not convicted, and the complaint against him lays out allegations his lawyers haven’t answered yet. The jewelry retailer in that filing hasn’t been named publicly, and it isn’t clear whether the roughly $8 million ransom was ever paid. Buchanan’s case sits apart from the casino attacks: prosecutors say his direct role ended before the 2023 MGM and Caesars breaches, so who inside the group pressed the button there still isn’t spelled out in any U.S. charging document. Sentencing dates are set for later this year, and the courts will decide what comes next.

What this means for you

If you run security for any company with a help desk, this is a reminder that the softest part of your stack is a human on the phone. Scattered Spider didn’t break MGM with a zero-day. They called IT and asked nicely. The fix isn’t glamorous. Verify identity out of band before any password or MFA reset. Put hardware keys in front of privileged accounts. And stop treating support workflows as a lane attackers get to skip. The same manipulation logic now targets software too, as the AI browser agents talked into handing over passwords showed, and it’s the same instinct behind the phishing wave after the LastPass vendor leak. The arrests are real progress. But The Com is bigger than the handful now in court, and the phone will ring again.

Share this article

Quick reference

social engineering
Manipulating a person instead of a system, such as tricking help-desk staff into resetting a password, approving a new device, or handing over access.
SIM swapping
Convincing a mobile carrier to move a victim's phone number onto an attacker's SIM, so calls and one-time login codes arrive on the attacker's phone.
MFA fatigue
Flooding a target with repeated multi-factor login prompts until they tap approve out of annoyance, which hands the attacker a valid session.

Sources

Mentioned in this article