Scattered Spider Member "Bouquet" Arrested in Finland — Peter Stokes, 19, Charged With Four Intrusions Starting at Age 16

Peter Stokes, 19, known online as "Bouquet," was arrested in Finland trying to board a flight to Tokyo — the latest in a string of Scattered Spider prosecutions that now includes a guilty plea from the group's alleged leader Tyler "Tylerb" Buchanan.

CHICAGO / HELSINKI — Peter Stokes, a 19-year-old dual US and Estonian citizen operating under the alias "Bouquet," was arrested by Finnish authorities at Helsinki Airport on April 10, 2026 while attempting to board a flight to Tokyo. US prosecutors have charged Stokes in a six-count complaint filed under seal in December 2025 with wire fraud, conspiracy, and computer intrusion — and are now seeking extradition to Chicago. Investigators allege Stokes participated in at least four Scattered Spider intrusions since March 2023, including attacks when he was just 16 years old. The arrest is the latest in an accelerating prosecution wave against the Scattered Spider ecosystem — for the Tylerb guilty plea and full background on the group's history, see our dedicated coverage: The Web Unravels: Tylerb Pleads Guilty to Multi-Million Dollar Scattered Spider Spree.

Arrest and charges profile

How Stokes operated: vishing at 16

Stokes' alleged criminal career began in March 2023 — just months after his 16th birthday — when he allegedly targeted an online communications platform ("Company H") by calling the company's IT support and requesting a reset of an employee's two-factor authentication. Investigators say encrypted chats show him coordinating with an accomplice in real time as they accessed sensitive data. By May 2025, Stokes had escalated significantly: prosecutors allege he helped breach a multibillion-dollar luxury retailer by impersonating an employee on a call to the IT helpdesk, resetting credentials, gaining administrator access, claiming 100GB of stolen data, and demanding $8 million in ransom.

The technique — helpdesk vishing — is Scattered Spider's defining method, and it has proven devastatingly effective against organizations that have not implemented phishing-resistant authentication or strict helpdesk verification protocols. Two two-terabyte hard drives seized from Stokes at Helsinki Airport suggest a significant volume of evidence is now in US federal possession. The Stokes arrest follows an April 10 apprehension as he attempted to fly to Tokyo — Finnish authorities detained him before he could board, based on charges that had been filed under seal in December 2025. For broader context on the Scattered Spider ecosystem and The Com, our Tylerb coverage

covers the group's full history, methodology, and the social engineering pipeline that Stokes continued. All Cyber Crime coverage

is tracked on The CyberSignal.

The broader prosecution wave

The Stokes arrest is not an isolated development — it is part of a coordinated multi-jurisdictional prosecution push against The Com that has accelerated through early 2026. Tyler Buchanan's guilty plea to wire fraud and aggravated identity theft, with sentencing scheduled for August 21 and a 22-year statutory maximum, established the highest-profile admission of guilt yet from a core Scattered Spider figure. In the UK, the National Crime Agency has separately arrested four individuals connected to Scattered Spider's attacks on Marks & Spencer, Co-op, and Harrods. In the US, additional members face pending charges. Law enforcement foreknowledge of Stokes' travel plans — enabling his arrest at Helsinki Airport before a Japan-bound flight — indicates active surveillance of The Com ecosystem, not reactive investigation.

What to do now

The Stokes arrest confirms that Scattered Spider's helpdesk vishing methodology remains active — these prosecutions do not signal the group has stopped operating. Implement phishing-resistant MFA (FIDO2 hardware keys) for all accounts, especially privileged ones. Establish strict helpdesk verification protocols requiring out-of-band identity confirmation before any MFA reset or credential change. Train helpdesk staff on social engineering red flags — urgency, escalation pressure, requests to bypass standard procedures. Review and restrict permissions for helpdesk staff to minimize what an attacker can access even with a compromised helpdesk credential.

The CyberSignal Analysis

Signal 01 — Scattered Spider's youngest members started at 16 with techniques that still work

Stokes' first alleged attack at age 16 used a helpdesk MFA reset request — no malware, no exploit, no technical skill. Just a phone call and the confidence to impersonate an employee convincingly. The fact that it worked in 2023 and continued working through his 2025 luxury retailer attack is not a Scattered Spider problem. It is an industry-wide helpdesk security problem that has persisted because verification procedures remain dangerously inconsistent across the enterprise.

Signal 02 — The Com prosecution pipeline is accelerating across jurisdictions

Buchanan's plea, Stokes' arrest, and multiple prior Scattered Spider arrests represent a sustained campaign now producing results across the US, UK, and Finland. The international coordination required to arrest Stokes at Helsinki Airport before a Japan-bound flight reflects active surveillance of The Com ecosystem. The criminal network's members are learning that geographic distribution and young age are not protection from federal prosecution.

Signal 03 — Two terabytes of evidence is a compounding enforcement asset

The two 2TB hard drives seized from Stokes at Helsinki Airport contain an unknown but potentially significant volume of evidence about Scattered Spider operations, communications, victim data, and co-conspirator identities. In federal prosecutions of cybercriminal networks, seized devices from one defendant routinely generate leads for additional charges and additional defendants. The evidentiary value of Stokes' hard drives will likely extend well beyond his own prosecution.

Sources