The U.S. Department of Justice, the Federal Bureau of Investigation (FBI) and the Finnish National Bureau of Investigation recently launched a joint operation and successfully arrested a 19-year-old man suspected of participating in one of the world's largest cybercrime groups at the Helsinki Airport in Finland. According to data disclosed by the U.S. Department of Justice, the hacker group, called Scattered Spider, has previously extorted more than $100 million in ransom payments through ransomware attacks.

The suspect arrested this time is named Peter Stokes, who holds dual citizenship of the United States and Estonia. At the time of the incident, he was trying to board a flight to Japan in Helsinki, but was intercepted by law enforcement officers before boarding the plane. The police found a large amount of extremely incriminating criminal evidence in two hard drives that he carried with him.
The direct trigger that led to Stokes' arrest was the cyber attack launched by the group on a luxury jeweler in the United States in May 2025. At that time, the attacker used Google Voice to call the jeweler's IT service desk, pretending to be a company employee, and successfully tricked the technician into resetting the account credentials. The move resulted in the compromise of three corporate accounts, two of which also had administrator rights. Subsequently, gang members, including Stokes, stole important data, encrypted it, and extorted $8 million worth of cryptocurrency from the jeweler. Although the jeweler eventually regained control of the system and refused to pay the ransom, the prolonged business disruption resulted in approximately $2 million in operating losses. This also prompted prosecutors and law enforcement officials to start following the clues and launch cross-border tracking.
During the investigation of the case, technology giant Microsoft provided key assistance. Microsoft provided so-called "Global Device Identifier" (GDID) data to the FBI. GDID is a unique identification number assigned to each device with Windows installed and is used to track telemetry data from a specific device. Court documents show that Stokes used the Windows 11 system during the crime. It was through this signature that investigators successfully associated his physical hardware devices with specific network activities and geographic locations. The data provided by Microsoft opened up the timeline and recorded important clues such as Stokes' network activities, online game history, IP address, tool usage (including Ngrok) and Azure status in detail.
In fact, as early as 2024, law enforcement authorities already knew Stokes' true identity. However, because he was still a minor at the time and had been living between Estonia and the United Arab Emirates for a long time, the police chose to secretly monitor him and did not close the network until this time. The official criminal complaint also included an ironic piece of physical evidence: Stokes once posted a selfie on Snapchat in which he covered his face with dozens of hundred-dollar bills. Based on the wallpaper, carpet and furniture style in the background of the photo, the police accurately determined that the location where it was taken was the Empire Hotel in New York. Records show he visited the hotel's official website in Germany and then flew to New York.
Stokes has been extradited to the United States after being arrested in Finland. On June 30, 2026, he appeared in court for the first time in Chicago federal court. Stokes is still in police custody and faces charges of conspiracy, cyber intrusion and fraud.