US Charges Teen Hacker Linked to Scattered Spider Arrests

Key Takeaways

• A 19-year-old using the alias 'Bouquet' faces six federal counts including wire fraud and computer intrusion
• Court records allege he participated in at least four Scattered Spider breaches dating back to when he was 16
• One victim, a luxury retailer, incurred over $2 million in costs despite refusing to pay an $8 million ransom

Finnish Arrest Leads to Federal Charges

A 19-year-old dual United States and Estonian citizen is facing federal charges after Finnish police arrested him at Helsinki's airport on April 10. According to court records obtained by the Chicago Tribune, the suspect used the online alias "Bouquet" and allegedly helped extort millions of dollars from multiple large corporations as a member of the Scattered Spider hacking collective.

Finnish law enforcement detained him while he was attempting to board a flight to Japan. The six-count complaint, originally filed under seal in December, charges him with wire fraud, conspiracy, and computer intrusion.

Four Breaches, Starting at Age 16

Prosecutors allege Bouquet participated in at least four Scattered Spider breaches. The earliest occurred in March 2023, when he was 16 years old. That attack targeted an online communication platform and forced the victim company to pay millions in ransom.

The complaint also names a multibillion-dollar "luxury item retailer" breached in May 2025. In that attack, hackers called the company's IT helpdesk while posing as employees. They convinced staff to reset authentication credentials, then used that access to reach administrator accounts.

The group claimed to have stolen 100 gigabytes of data and demanded $8 million. The retailer refused to pay. It still incurred more than $2 million in disruption and remediation costs.

Who Is Scattered Spider?

Scattered Spider surfaced in 2022. Security researchers track the group under multiple names: 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra. Unlike traditional ransomware gangs with hierarchical structures, Scattered Spider operates as a loosely organized collective. Most members are teenagers and young adults from the US and Great Britain.

The FBI says the group relies on social engineering, targeted multi-factor authentication bombing (also called MFA fatigue), and SMS credential phishing. They steal user credentials and sensitive documents, then use that data as leverage for extortion.

• Caesars and MGM Resorts (casino operators)
• Riot Games (video game developer)
• MailChimp, Twilio, DoorDash, Reddit (tech platforms)
• Co-op, Marks & Spencer, Harrods (UK retailers)
• WestJet and Jaguar Land Rover (recent targets)

Second Major Arrest This Month

This arrest follows another significant development in the Scattered Spider investigation. Earlier this month, 24-year-old Tyler Robert Buchanan pleaded guilty in the United States to wire fraud and aggravated identity theft charges. Investigators believe Buchanan was one of the collective's leaders.

The Department of Justice and the Office of the Attorney General have not yet responded to requests for additional details about the Finland arrest.

Social Engineering Remains the Weakest Link

The luxury retailer breach illustrates why social engineering attacks remain effective against even well-resourced companies. The hackers did not exploit a software vulnerability. They called the helpdesk, pretended to be employees, and asked for a credential reset. Someone on the other end complied.

MFA fatigue attacks work similarly. Hackers bombard a target with authentication requests until the victim approves one just to make it stop. Both techniques bypass technical security controls by targeting human behavior.

Frequently Asked Questions

What is Scattered Spider?

Scattered Spider is a loosely organized hacking collective that emerged in 2022. It consists primarily of teenagers and young adults from the US and UK who use social engineering, MFA fatigue attacks, and SMS phishing to breach corporations for extortion.

How do MFA fatigue attacks work?

Attackers send repeated authentication requests to a target's phone or device. The victim eventually approves a request out of frustration or confusion, giving attackers access without needing to crack the password.

What companies has Scattered Spider attacked?

Known victims include Caesars, MGM Resorts, Riot Games, MailChimp, Twilio, DoorDash, Reddit, Marks & Spencer, Co-op, Harrods, WestJet, and Jaguar Land Rover.

How can companies defend against social engineering?

Organizations should implement strict verification procedures for credential resets, train helpdesk staff to recognize impersonation attempts, and use phishing-resistant MFA methods like hardware security keys.

Source: BleepingComputer