Teenager alleged to be Scattered Spider hacker arrested in Finland, faces US extradition

Here's a tip for you all. Unless you want to draw attention to yourself as a cybercriminal, don't flaunt your diamond-encrusted "HACK THE PLANET" necklace on Snapchat, or pose as a Sopranos crime boss while the FBI is reportedly closing in.

Because if you do that, you'll only have yourself to blame for your poor operational security.

This is the picture that US prosecutors have painted of a teenager arrested earlier this month at Helsinki Airport while trying to board a flight to Tokyo.

The 19-year-old suspect - who allegedly went by the handle "Bouquet" - is accused of being an active member of the Scattered Spider cybercrime group, and now faces charges of wire fraud, conspiracy, and computer intrusion under a six-count federal complaint filed under seal in Chicago last December and recently obtained by the Chicago Tribune. The US is seeking his extradition.

Prosecutors allege that the teenage suspect took part in at least four Scattered Spider attacks , the earliest in March 2023 - just months after his 16th birthday. That first attack saw a textbook social engineering tactic deployed to reset a worker's 2FA protection, after which the attackers allegedly walked away with sensitive employee data.

A subsequent attack is alleged to have taken place in May 2025, when the gang targeted a "multibillion-dollar luxury item retailer" by phoning its IT help desk and impersonating staff to request password resets. Within hours, prosecutors say, they had compromised two privileged administrator accounts and exfiltrated 100 GB of corporate data.

The follow-up email reportedly had the subject line "IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic]" and demanded a US $8 million ransom. The retailer is said to have refused to pay up, although remediation costs allegedly exceeded US $2 million. Although the filings don't name the victim, the timing matches up with attacks against British retailers Marks & Spencer and Harrods.

It is claimed that "Bouquet" helped investigators build the case against him, by being anything but bashful about his wealth. Court documents detail trips between Dubai, Thailand, Mexico, and New York, alongside Snapchat photos of cash, watches, and the afore-mentioned "HACK THE PLANET" diamond chain.

The complaint also alleges that the Scattered Spider gang mocked law enforcement, with one 2024 screenshot reportedly showed failed login attempts captioned "F*** off, FBI."

Scattered Spider is a loosely-formed English-speaking collective of teenagers and young adults who became infamous after the 2023 attacks on MGM Resorts and Caesars Entertainment.

Their attack methodology shies away from fancy zero-day vulnerabilities, having discovered that it's simpler to make a phone call to an IT help desk, and talk someone on the other end into resetting a password or MFA token.

It's not been a great few weeks for alleged members of the Scattered Spider collective, with 24-year-old Brit Tyler Robert Buchanan pleading guilty in California recently to SMS phishing attacks that allegedly netted at least US $8 million in cryptocurrency.

Scattered Spider's success as hackers essentially relies upon one weak link - the IT help desk.

Make sure that your IT staff have a robust, mandatory process for verifying anyone who calls asking for a password reset or MFA change. In addition, ensure IT staff know that they won't get into trouble for slowing down a request, even if the caller claims to be the CEO.

You should also consider moving away from SMS-based MFA where you can, in favour of phishing-resistant alternatives like hardware security keys.

Test your own people regularly, because the attackers certainly will.