Federal Complaint Links Alleged Scattered Spider Hacker to High-Profile Jewelry Retailer Breach
U.S. prosecutors have established a connection between a suspected member of the notorious hacker collective Scattered Spider and a significant security breach at a luxury jewelry retailer. This revelation comes from a recently unsealed federal complaint that pins the breach on the persistent identifier of a Windows device. The investigation reveals the complex web of methods employed by the attackers during the infiltration, outlining not only their techniques but also the frailties in the retailer’s security protocols.
The individual at the center of this case is 19-year-old Peter Stokes, a dual U.S.-Estonian citizen who operates online under the alias “Bouquet.” He is facing multiple charges, including conspiracy, computer intrusion, and fraud. Stokes was extradited from Finland and made his inaugural court appearance in Chicago on June 30. According to the charges, he is presumed innocent until proven guilty at trial.
The sequence of events leading to the breach occurred between May 12 and 15, 2025. During this critical window, the attackers reached out to the retailer’s IT help desk using Google Voice numbers, posing as locked-out employees. Through this impersonation, they convinced the staff to reset the passwords of several employee accounts, as well as the mobile devices linked to their multifactor authentication systems. This manipulation enabled the attackers to gain control over three accounts, two of which belonged to IT administrators.
Once the adversaries secured access to the accounts, they utilized various tools, including an application called ngrok and another tunneling tool named Teleport, to facilitate data transfer to Amazon cloud storage. In this operation, they successfully extracted a staggering 77 gigabytes of data. Although they attempted to deploy ransomware, the retailer’s security team detected the breach promptly and managed to evict the attackers from the network. Nonetheless, the attackers sent a ransom email, ominously titled “IMPORTANT: WE STOLE THE DATA, CONTACT IMMEDIATELY,” demanding a startling $8 million in cryptocurrency. The jeweler opted not to pay, but the repercussions of the breach resulted in substantial costs—approximately $2 million—stemming from disruption, investigation, and mitigation efforts.
The method of infiltration illuminated the vulnerabilities not in software, but rather in the security processes employed by the retailer. The recommended remedy is a procedural one rather than a mere software patch, emphasizing the necessity to verify identities thoroughly before executing any password resets. Recommended practices include callbacks to pre-verified telephone numbers, managerial approvals, or video confirmations for privileged account access. While phishing-resistant multifactor authentication methods, such as FIDO2 keys, can mitigate certain risks, they remain ineffective if help desk employees are helping reset accounts simply based on a phone call.
Furthering their investigation, authorities traced Stokes through the device that opened the ngrok account. Microsoft reported that the device carried a unique Global Device Identifier, an identifier that persists through operating system updates but changes when the software is reinstalled. Records indicate that this device accessed the ngrok signup page simultaneously with the account creation. It also connected to the retailer’s website through the same proxy shortly thereafter. Notably, the device consistently appeared on IP addresses corresponding to various other accounts attributed to Stokes, further establishing a connection between him and the breach.
Despite the detailed tracing of this particular hacker, experts warn that one arrest is unlikely to halt the overall threat posed by Scattered Spider. Recent research by Group-IB suggests that the group may not function as a singular entity, but rather as a loose collective of small, independent cells. These cells often consist of no more than five individuals, sharing methods and resources rather than a unified leadership. This decentralized nature reflects a societal dynamic similar to that of the Anonymous movement, suggesting that merely apprehending some individuals will not sufficiently dismantle the larger cyber threat.
Prosecutors define Scattered Spider as a group responsible for over 100 breaches, amassing more than $100 million in ransom demands. However, Group-IB posits that the label describes a network rather than a coherent organization, attributing the sustainability of cyber activities to the loosely connected structure of its operatives.
Recent prosecutions linked to Scattered Spider follow a recurring pattern: the capture of individual operators while the broader operation continues unabated. For instance, Tyler Buchanan, a Scottish national, pled guilty in April 2026 to charges associated with the group, while another member, known as “Sosa,” received a ten-year prison sentence in 2025 for a SIM-swapping scheme. In the UK, two alleged group members recently admitted their involvement in a hack that inflicted significant financial losses on Transport for London.
On his way to Japan, Stokes was apprehended at Helsinki airport by Finnish authorities, who seized two 2-terabyte hard drives. Such evidence forms the bedrock of this investigation, comprising extensive device records, account associations, and IP trails. In a landscape characterized by diffuse connections, these drives may contain invaluable information that could prove crucial in linking other members and thwarting future breaches. As this case unfolds, it serves as a reminder of the persistent vulnerabilities present in both corporate security systems and the increasingly sophisticated methods employed by cybercriminals.
