A teenager suspected of being the Scattered Spider hacker arrested in Finland, will be extradited to the US
Here’s a tip for you all. Unless you want to draw attention to yourself as a cybercriminal, don’t show off your diamond-encrusted “HACK THE PLANET” necklace on Snapchat, or pretend to be the crime boss on The Sopranos while the FBI is reportedly closing in.
Because if you do that, you’ll only have yourself to blame for your poor performance security.
This is the picture that American prosecutors drew of the teenager who was arrested earlier this month at the Helsinki airport when he tried to board a flight to Tokyo.
The 19-year-old suspect – who allegedly went by the handle “Bouquet” – is suspected of being an active member of the Scattered Spider cybercrime group, and is now facing charges of fraud, conspiracy, and computer hacking under a six-count indictment filed under seal in Chicago last December and recently obtained by Chicago Tribune. The US wants his extradition.
Prosecutors suspect that the young suspect took part in at least four Scattered Spider attacks, the first in March 2023 – a few months after his 16th birthday. That first attack saw a social engineering tactic used to reset an employee’s 2FA protection, after which the attackers made off with sensitive employee data.
The next attack allegedly took place in May 2025, when the gang targeted a “billion dollar luxury retailer” by calling the IT help desk and impersonating employees to request a password reset. Within hours, prosecutors say, they compromised two privileged administrator accounts and released 100 GB of company data.
The follow-up email reportedly had the subject line “IMPORTANT: WE HAVE RECEIVED DATA, CONTACT ASAP [sic]”He also demanded a ransom of US $8 million. The seller is said to have refused to pay, although the repair costs are said to be more than two million US dollars. Although the documents do not name the victim, the timing coincides with the attacks on the British stores Marks & Spencer and Harrods.
It is said that “Bouquet” helped the investigators to build a case against him, for not being ashamed of his wealth. Court documents detail trips between Dubai, Thailand, Mexico, and New York, as well as Snapchat photos of coins, watches, and the aforementioned “HACK THE PLANET” diamond chain.
The complaint also alleges that the Scattered Spider gang taunted law enforcement, and one screenshot from 2024 reportedly showed failed break-in attempts with the words “F*** off, FBI.”
Scattered Spider is a loosely formed English-speaking youth group that gained notoriety after the attack on MGM Resorts and Caesars Entertainment in 2023.
Their attack method avoids zero-day vulnerabilities, as they have found that it is easier to call the IT help desk, and talk to someone on the other end to reset the password or MFA token.
It hasn’t been a few weeks since suspected Scattered Spider gang member, 24-year-old Brit Tyler Robert Buchanan pleaded guilty in California recently to an SMS phishing attack that allegedly netted at least US $8 billion in cryptocurrency.
Scattered Spider’s success as hackers actually depends on one weak link – the IT help desk.
Make sure your IT staff has a robust, mandatory process to authenticate anyone who calls requesting a password reset or MFA change. In addition, make sure the IT staff knows they won’t get into trouble for declining the request, even if the caller claims to be the CEO.
You should also consider moving away from SMS-based MFA where you can, opting for phishing-resistant alternatives such as hardware authentication keys.
Check your people regularly, because attackers will definitely do it.
