US reportedly charges Scattered Spider hacker arrested in Finland
Source: Bleeping Computer
Key Details
| Item | Information |
|---|---|
| Alias | “Bouquet” |
| Arrest location & date | Helsinki airport, Finland – April 10, 2026 (while attempting to board a flight to Japan) |
| Charges (U.S.) | Wire fraud, conspiracy, and computer intrusion |
| Source of court records | Temporarily unsealed documents obtained by the Chicago Tribune |
| Number of counts | Six (filed under seal in December) |
| Known breaches involving “Bouquet” | • March 2023 – hack of an online communication platform (age 16) • May 2025 – intrusion into a multibillion‑dollar luxury‑item retailer (IT help‑desk impersonation, credential reset, admin‑account access) |
| Ransom demands | • Claimed 100 GB of stolen data • Demanded $8 million (company refused) |
| Financial impact on victim | $2 million in disruption and remediation costs despite no ransom paid |
Background on the Scattered Spider Group
Scattered Spider is an international hacking collective known for:
- Targeting large corporations and demanding multimillion‑dollar ransoms.
- Using social‑engineering tactics (e.g., impersonating employees to reset credentials).
- Leveraging stolen data to pressure victims into payment.
Current Status
- U.S. authorities have not yet provided additional comment.
- BleepingComputer has reached out to the Department of Justice and the Office of the Attorney General for further details; a response has not been received at this time.
For more information, see the original reporting by the Chicago Tribune.
The Scattered Spider Cybercrime Collective
Scattered Spider (also tracked as 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC‑3944, and Muddled Libra) surfaced in 2022. It is a loosely knit, financially motivated hacking collective composed largely of teenagers and young adults from the United States and Great Britain.
Modus Operandi
According to the FBI, the group is known for using a blend of:
- Social engineering – tricking users into revealing credentials.
- Targeted multi‑factor authentication (MFA) bombing (aka MFA fatigue) – flooding users with MFA prompts until they approve one.
- SMS credential‑phishing attacks – stealing one‑time passcodes and other SMS‑based credentials.
These tactics let the attackers breach networks, steal user credentials and sensitive documents, and then leverage the data for extortion.
Notable Victims
Scattered Spider’s victim list includes many high‑profile organizations:
| Sector | Victims |
|---|---|
| Gaming & Entertainment | Caesars, MGM Resorts, Riot Games |
| Technology & SaaS | MailChimp, Twilio, Reddit |
| Food Delivery | DoorDash |
| Financial Services | Allianz Life |
| Retail (UK) | Co‑op, Marks & Spencer, Harrods |
| Travel & Automotive | WestJet, Jaguar Land Rover (JLR) |
Recent Legal Development
Earlier this month, Tyler Robert Buchanan (24), believed to be one of Scattered Spider’s leaders, pleaded guilty in the United States to charges of wire fraud and aggravated identity theft.
Source: [BleepingComputer – British Scattered Spider hacker pleads guilty to crypto‑theft charges]
All links point to publicly available BleepingComputer articles for further reading.