US Charges Teen Hacker Linked to Scattered Spider Arrests
Key Takeaways
- A 19-year-old using the alias 'Bouquet' faces six federal counts including wire fraud and computer intrusion
- Court records allege he participated in at least four Scattered Spider breaches dating back to when he was 16
- One victim, a luxury retailer, incurred over $2 million in costs despite refusing to pay an $8 million ransom
Finnish Arrest Leads to Federal Charges
A 19-year-old dual United States and Estonian citizen is facing federal charges after Finnish police arrested him at Helsinki's airport on April 10. According to court records obtained by the Chicago Tribune, the suspect used the online alias "Bouquet" and allegedly helped extort millions of dollars from multiple large corporations as a member of the Scattered Spider hacking collective.
Finnish law enforcement detained him while he was attempting to board a flight to Japan. The six-count complaint, originally filed under seal in December, charges him with wire fraud, conspiracy, and computer intrusion.
Four Breaches, Starting at Age 16
Prosecutors allege Bouquet participated in at least four Scattered Spider breaches. The earliest occurred in March 2023, when he was 16 years old. That attack targeted an online communication platform and forced the victim company to pay millions in ransom.
The complaint also names a multibillion-dollar "luxury item retailer" breached in May 2025. In that attack, hackers called the company's IT helpdesk while posing as employees. They convinced staff to reset authentication credentials, then used that access to reach administrator accounts.
The group claimed to have stolen 100 gigabytes of data and demanded $8 million. The retailer refused to pay. It still incurred more than $2 million in disruption and remediation costs.
Who Is Scattered Spider?
Scattered Spider surfaced in 2022. Security researchers track the group under multiple names: 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra. Unlike traditional ransomware gangs with hierarchical structures, Scattered Spider operates as a loosely organized collective. Most members are teenagers and young adults from the US and Great Britain.
The FBI says the group relies on social engineering, targeted multi-factor authentication bombing (also called MFA fatigue), and SMS credential phishing. They steal user credentials and sensitive documents, then use that data as leverage for extortion.
- Caesars and MGM Resorts (casino operators)
- Riot Games (video game developer)
- MailChimp, Twilio, DoorDash, Reddit (tech platforms)
- Co-op, Marks & Spencer, Harrods (UK retailers)
- WestJet and Jaguar Land Rover (recent targets)
Second Major Arrest This Month
This arrest follows another significant development in the Scattered Spider investigation. Earlier this month, 24-year-old Tyler Robert Buchanan pleaded guilty in the United States to wire fraud and aggravated identity theft charges. Investigators believe Buchanan was one of the collective's leaders.
The Department of Justice and the Office of the Attorney General have not yet responded to requests for additional details about the Finland arrest.
Social Engineering Remains the Weakest Link
The luxury retailer breach illustrates why social engineering attacks remain effective against even well-resourced companies. The hackers did not exploit a software vulnerability. They called the helpdesk, pretended to be employees, and asked for a credential reset. Someone on the other end complied.
MFA fatigue attacks work similarly. Hackers bombard a target with authentication requests until the victim approves one just to make it stop. Both techniques bypass technical security controls by targeting human behavior.
Logicity's Take
Frequently Asked Questions
What is Scattered Spider?
Scattered Spider is a loosely organized hacking collective that emerged in 2022. It consists primarily of teenagers and young adults from the US and UK who use social engineering, MFA fatigue attacks, and SMS phishing to breach corporations for extortion.
How do MFA fatigue attacks work?
Attackers send repeated authentication requests to a target's phone or device. The victim eventually approves a request out of frustration or confusion, giving attackers access without needing to crack the password.
What companies has Scattered Spider attacked?
Known victims include Caesars, MGM Resorts, Riot Games, MailChimp, Twilio, DoorDash, Reddit, Marks & Spencer, Co-op, Harrods, WestJet, and Jaguar Land Rover.
How can companies defend against social engineering?
Organizations should implement strict verification procedures for credential resets, train helpdesk staff to recognize impersonation attempts, and use phishing-resistant MFA methods like hardware security keys.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Anthropic Connects Claude to Photoshop, Blender, Ableton
Anthropic launched connectors that let Claude interact directly with creative software including Adobe Creative Cloud, Blender, Ableton, and Autodesk. The company also became a Corporate Patron of the Blender Development Fund, committing at least €240,000 annually to keep the 3D software free and open source.
China Plans CPU-Only Exascale Supercomputer with 47,000 Processors
China's National Supercomputing Center in Shenzhen announced the Lingshen project, targeting 2+ ExaFLOPS using only domestic CPUs. If built, it would be the first exascale system to reach that tier without GPU accelerators, though significant questions remain about timeline and component sourcing.
Social Media Scams Cost Americans $2.1 Billion in 2025
The Federal Trade Commission reports that social media scams have grown eightfold since 2020. Investment fraud and shopping scams account for most losses, with Facebook leading as the platform where most scams originate.