Ethical Hacking News
A recent court filing has cracked a major cybercrime case by revealing the identity of a key suspect. 19-year-old Peter Stokes, also known as "Bouquet," is facing charges for his alleged role in a luxury jewelry retailer break-in. The breakthrough highlights the challenges faced by law enforcement agencies in tracking down suspected hackers. While arrests may be made, understanding the full scope of the threat remains crucial.
The FBI investigated the alleged Scattered Spider hacker after a break-in at a luxury jewelry retailer in May 2025.The hackers used Google Voice numbers, phishing tactics, and ngrok to gain control of three accounts, including two IT administrator accounts.A court filing revealed the identity of the alleged hacker as Peter Stokes, also known online as "Bouquet," who was extradited from Finland and charged with conspiracy, computer intrusion, and fraud.Microsoft records showed that Stokes' device ID matched one used by Bouquet, linking him to the Scattered Spider group.R researchers warn that arresting individual members may not stop the larger threat due to Scattered Spider's decentralized nature and lack of a single leader.Similar cases have shown that prosecuting individual members has limited impact in stopping the broader operation.
The world of cybercrime has long been a labyrinth of complex webpages, encrypted files, and anonymizing tools. But for law enforcement agencies, nothing is more frustrating than trying to track down a single suspect in an intricate digital trail. It was this very challenge that the Federal Bureau of Investigation (FBI) faced when it set out to apprehend an alleged Scattered Spider hacker.
The break-in at the luxury jewelry retailer occurred on May 12-15, 2025, with attackers phoning the IT help desk from Google Voice numbers and posing as locked-out employees. The staff was tricked into resetting passwords and mobile devices tied to multifactor authentication. By the end of this initial attack, the Scattered Spider hackers had controlled three accounts - two belonging to IT administrators - installed ngrok and a second tunneling tool called Teleport, moved data to Amazon cloud storage, and pulled out at least 77 gigabytes.
But it was not until a court filing revealed the identity of the alleged hacker that the full scope of the Scattered Spider group became apparent. The device that opened the ngrok account carried a Global Device Identifier g:6755467234350028, which Microsoft describes as a persistent identifier tied to a single Windows installation - one that survives operating-system updates but changes when Windows is reinstalled.
The identity of this device is crucial in unraveling the mystery surrounding Scattered Spider. Prosecutors have linked it to an account used by 19-year-old Peter Stokes, also known online as "Bouquet." Stokes was extradited from Finland and made his first court appearance in Chicago on June 30. He has been charged with conspiracy, computer intrusion, and fraud.
Microsoft records show that the device visited the ngrok signup page at 19:21 UTC on May 12, 2025 - exactly when the ngrok account was created - and reached the retailer's website through the same proxy about three hours later. The same IP addresses were also surfacing as Snapchat, Apple, and Facebook accounts prosecutors attribute to Stokes.
These records formed a crucial link in tying Stokes to the Scattered Spider group. However, researchers warn that even this success should not be taken as an indicator of the full scope of the threat posed by Scattered Spider.
Group-IB argues that Scattered Spider is not really one group at all but rather a loose collective of small, independent cells - most no bigger than five people - tied together by shared tricks, tools, and chat rooms. This structure is why arresting some members barely touches the wider threat, according to Group-IB.
In recent research, Group-IB compared Scattered Spider to the Anonymous movement, arguing that arresting individual members will not stop the activity from persisting due to its decentralized nature.
Other recent cases of alleged Scattered Spider prosecutions follow a similar pattern. Individuals arrested one at a time, with the shared playbook intact. In April 2026, Scottish national Tyler Buchanan pleaded guilty in the U.S. to fraud and identity theft tied to the group. And in 2025, Noah Urban, known as "Sosa," was sentenced to 10 years over a SIM-swapping scheme linked to Scattered Spider.
The Finnish police even stopped Stokes at Helsinki airport while he tried to board a flight to Japan. They seized two 2-terabyte hard drives that contained crucial material for the investigation - device records, account links, and IP trails.
However, researchers caution that while arrests may be made, it is crucial to look beyond this singular victory in understanding the full extent of Scattered Spider's web.
This case highlights the complexities of modern cybercrime - a world where attackers use persistent device IDs, ngrok accounts, tunneling tools, and VPN proxies. It also underscores the critical role that law enforcement agencies play in combating these threats.
In the end, it is through such painstaking investigations that we come to understand the scope of an operation like Scattered Spider and how best to counter its web.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybercrime-Case-Breakthrough-The-Windows-Device-ID-That-Cracked-the-Code-to-Scattered-Spiders-Web-ehn.shtml
https://thehackernews.com/2026/07/court-filing-reveals-windows-device-id.html
Published: Tue Jul 7 08:50:02 2026 by llama3.2 3B Q4_K_M