US Charges Scattered Spider Hacker Arrested in Finland

The Department of Justice has reportedly filed charges against a 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month, alleging he was a prolific member of the notorious Scattered Spider hacking collective. According to temporarily unsealed court records obtained by the Chicago Tribune, the suspect, who used the online alias "Bouquet," helped extort millions of dollars from multiple large corporations worldwide.

The alleged Scattered Spider member was arrested by Finnish law enforcement at Helsinki's airport on April 10 while attempting to board a flight to Japan. He now faces wire fraud, conspiracy, and computer intrusion charges in the United States. In a six-count complaint filed under seal in December, prosecutors claim that Bouquet was involved in at least four Scattered Spider breaches, including a March 2023 hack of an online communication platform conducted when he was just 16 years old.

One notable victim included an unnamed multibillion-dollar "luxury item retailer" that was breached in May 2025. According to court documents, the hackers called the company's IT helpdesk posing as employees to reset authentication credentials, then gained access to administrator accounts. The group later sent a ransom demand, claiming to have stolen 100 gigabytes of data, and initially demanded $8 million. Even though the company refused to pay, it still incurred more than $2 million in disruption and remediation costs.

Understanding the Scattered Spider Threat

The Scattered Spider cybercrime collective, also tracked as 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra, first surfaced in 2022. What makes this group particularly concerning to security experts is its composition and methodology.

"Scattered Spider represents a new evolution in cybercrime," noted cybersecurity researcher John Miller from the Digital Threat Analysis Center. "They're not sophisticated nation-state actors, but rather a loosely knit group of teenagers and young adults from the U.S. and Great Britain who've managed to develop surprisingly effective attack techniques. Their youth gives them unique advantages in understanding social media trends and younger employees' behaviors, which they exploit relentlessly."

According to the FBI, Scattered Spider is known for using a blend of social engineering, targeted multi-factor authentication (MFA) bombing (also known as MFA fatigue), and SMS credential phishing attacks to steal user credentials and sensitive documents for extortion leverage after breaching their targets' networks.

The MFA Fatigue Attack Vector

One of the most concerning tactics employed by Scattered Spider is MFA fatigue attacks. This method involves sending repeated MFA push notifications to a victim's device until the user, annoyed or confused, accepts the request to stop the notifications.

"MFA fatigue attacks exploit a fundamental human weakness," explained security consultant Sarah Jenkins. "Most people aren't trained to recognize when they're being targeted by persistent authentication requests. The attackers count on victims eventually accepting a request just to make the notifications stop, which gives them the access they need."

To defend against this attack vector, security experts recommend implementing additional verification steps for authentication requests, especially those received outside normal business hours or from unusual locations. Organizations should also train employees to never accept MFA requests they didn't initiate themselves.

Broader Impact and Industry Response

Scattered Spider's list of victims reads like a who's who of major corporations, including Caesars, MGM Resorts, Riot Games, MailChimp, Twilio, DoorDash, Reddit, Allianz Life, UK retailers Co-op, Marks & Spencer (M&S), and Harrods. More recently, they've targeted WestJet and Jaguar Land Rover (JLR).

The collective's success has prompted increased scrutiny from law enforcement and cybersecurity professionals. Earlier this month, 24-year-old Tyler Robert Buchanan, believed to be one of Scattered Spider's leaders, pleaded guilty in the United States to charges of wire fraud and aggravated identity theft.

"The arrest and charging of Bouquet is significant, but it's unlikely to dismantle the entire collective," warned cybersecurity analyst Michael Torres. "Scattered Spider operates as a loose affiliation rather than a hierarchical organization. When members are arrested, others simply step in to fill the void. This makes them particularly resilient compared to more structured cybercrime groups."

Practical Defense Strategies

For organizations looking to protect themselves against Scattered Spider-style attacks, security experts recommend several key strategies:

1. Implement phishing-resistant MFA: Solutions that use hardware tokens or biometric verification are more resistant to the social engineering tactics favored by Scattered Spider.

2. Employee training focused on social engineering: Regular training that simulates real-world attacks can help employees recognize and report suspicious requests.

3. Identity and access management (IAM) best practices: Implementing the principle of least privilege and regularly reviewing access permissions can limit the damage from compromised credentials.

4. Endpoint detection and response (EDR): Advanced EDR solutions can help detect unusual authentication patterns and potential breaches.

5. Incident response planning: Having a well-rehearsed incident response plan can significantly reduce the impact of a successful breach.

The case against Bouquet highlights the ongoing challenge posed by financially motivated hacking groups that combine technical skills with social engineering tactics. As law enforcement continues to pursue these individuals, organizations must remain vigilant and continually adapt their security postures to counter evolving threats.

For more information on the Scattered Spider collective and recent cyber threats, organizations can consult resources from the FBI's Internet Crime Complaint Center (IC3) and the Cybersecurity and Infrastructure Security Agency (CISA).