U.S. prosecutors linked an alleged Scattered Spider hacker to a break-in at a luxury jewelry retailer using a persistent Windows device ID, according to a newly unsealed federal complaint.
Microsoft records tied that ID first to the account the attackers used to keep access during the May 2025 intrusion, then to online accounts prosecutors say belong to 19-year-old Peter Stokes.
Stokes is charged with conspiracy, computer intrusion, and fraud. A dual U.S.-Estonian citizen known online as “Bouquet,” he was extradited from Finland and made his first court appearance in Chicago on June 30, as THN reported. He is presumed innocent pending trial.
How the break-in worked
Between May 12 and 15, 2025, attackers phoned the retailer’s IT help desk from Google Voice numbers, posed as locked-out employees, and got staff to reset employees’ passwords and the mobile devices tied to their multifactor authentication.
Within a few hours, they controlled three accounts, two belonging to IT administrators. They installed ngrok and a second tunneling tool called Teleport, moved data to Amazon cloud storage, and pulled out at least 77 gigabytes.
They appear to have tried to deploy ransomware, but the retailer’s security team blocked it and evicted them from the network. The attackers still sent a ransom email, subject line “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic],” and later asked for $8 million in cryptocurrency. The company did not pay. The breach still cost it about $2 million in disruption, investigation, and cleanup.
The way in was the help desk, not a software flaw. The fix is a process, not patching: verify identity before any reset with a callback to a number already on file, manager sign-off, or video checks for privileged accounts. Phishing-resistant MFA like FIDO2 keys blunts the group’s other methods, but does nothing if a help desk will reset an account on a phone call.
The ID that led investigators to Stokes
Investigators worked back to Stokes from the device that opened the ngrok account. Microsoft told the FBI it carried Global Device Identifier g:6755467234350028, which Microsoft describes as a persistent identifier tied to a single Windows installation, one that survives operating-system updates but changes when Windows is reinstalled.
Microsoft records show that the device visited the ngrok signup page at 19:21 UTC on May 12, 2025, the same minute the ngrok account was created, and reached the retailer’s website through the same proxy about three hours later.
The device also kept surfacing on the same IP addresses, at the same times, as Snapchat, Apple, and Facebook accounts prosecutors attribute to Stokes: an address in his home city of Tallinn, Estonia, in June 2024, then New York in November and Thailand in February 2025, matched by State Department travel records.
The complaint shows an operator who hid the attack, behind a VPN proxy, tunneling tools, and aliases, but not himself. Prosecutors say his Snapchat flaunted cash, watches, and diamond chains reading “HACK THE PLANET,” along with the very trips that placed him in those cities. He even posted photos of an Estonian police station and taunted that the feds had no idea what they had let get away.
One arrest, and why it may not slow the threat
Investigators can now tie a single operator to the machine that set up an attack. But one arrest barely touches the wider threat.
In separate, recent research, Group-IB argues Scattered Spider is not really one group at all. It is a loose collective of small, independent cells, most no bigger than five people, tied together by shared tricks, tools, and chat rooms rather than a shared boss. Group-IB compares it to the Anonymous movement and says arresting some of these cells “will not stop the threat itself.”
Prosecutors describe Scattered Spider as one group behind more than 100 intrusions and over $100 million in ransoms. Group-IB says the label fits a scene better than a gang, and argues that loose structure is why the activity survives each arrest.
Part of a longer run of cases
Other recent Scattered Spider prosecutions follow the same shape: individuals arrested one at a time, the shared playbook intact. In April 2026, Scottish national Tyler Buchanan pleaded guilty in the U.S. to fraud and identity theft tied to the group.
In 2025, Noah Urban, known as “Sosa,” was sentenced to 10 years over a SIM-swapping scheme linked to Scattered Spider. And in the U.K., two alleged members recently admitted to the Transport for London hack, which cost an estimated £29 million.
When Finnish police stopped Stokes at Helsinki airport as he tried to board a flight to Japan, they seized two 2-terabyte hard drives. This whole case was built from that kind of material: device records, account links, and IP trails. In a network this diffuse, the drives could matter more than the conviction, if they hold the tools, infrastructure, or contacts that reach the next member.









