Security & Infrastructure Tools

US reportedly charges Scattered Spider hacker arrested in Finland

A 19-year-old dual U.S.-Estonian citizen, online alias Bouquet, was arrested in Helsinki on April 10 while trying to fly to Japan and now faces U.S. charges as a member of the Scattered Spider hacking group. Prosecutors allege he helped breach multiple high-profile targets and extort millions in ransoms, with incidents dating back to 2023 and 2025. The case comes as another Scattered Spider leader pleaded guilty earlier this month.

TechLogHub

April 28, 2026

Keep Reading

Security & Infrastructure ToolsJun 12, 2026

Ukrainian national pleads guilty to role in Conti ransomware operation

A Ukrainian national extradited from Ireland to the United States pleaded guilty to conspiracy to commit wire fraud in connection with the Conti ransomware operation, admitting to joining the group in September 2021 and possessing data stolen from eight U.S. victims and four overseas victims. He helped code a loader used in attacks and faces up to 20 years in prison. Conti, linked to TrickBot, targeted more than 1,000 victims and collected over $150 million in ransom before disbanding in 2022.

Security & Infrastructure ToolsJun 12, 2026

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More from the Blog

View all

Security & Infrastructure Tools

Microsoft Adds Copilot Data Controls to All Storage Locations

Microsoft is expanding its data‑loss prevention controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel and PowerPoint documents regardless of where they are stored—whether on local devices or in SharePoint/OneDrive. The update will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026, automatically enabling the restriction for organizations that already have DLP policies set to block Copilot from handling sensitivity‑labeled content. This change follows a bug that had allowed Copilot to summarize confidential emails in users’ Sent Items and Drafts folders despite active DLP protections.

Feb 25, 2026

Security & Infrastructure Tools

Previously harmless Google API keys now expose Gemini AI data

Stay Updated

Get the next deep dive in your inbox

Subscribe for product analysis, engineering explainers, and practical guides published on TechLogHub.

Stay Updated

Get weekly insights, product updates, and launches straight to your inbox.

US CHARGES SCATTERED SPIDER HACKER ARRESTED IN FINLAND: CASE HIGHLIGHTS

Snapshot of the Incident

A 19-year-old individual holding dual United States and Estonian citizenship was arrested in Finland earlier this month.
The suspect, who used the online alias “Bouquet,” was part of the Scattered Spider hacking collective, a loosely knit group known for financial crime and data exfiltration.
The arrest occurred at Helsinki’s airport on April 10 while the person was attempting to board a flight to Japan.
U.S. federal charges include wire fraud, conspiracy, and computer intrusion, with the case briefly detailed in a six-count complaint filed under seal in December.
Prosecutors allege involvement in multiple breaches that extorted millions of dollars from various companies worldwide.

The Arrest, Charges, and Immediate Aftermath

Finnish law enforcement detained the suspect at the international hub, in the run-up to international travel.
The individual is expected to face federal charges in the United States related to cybercrimes carried out as part of Scattered Spider operations.
The fast-moving case links the Finnish arrest to a broader U.S. criminal investigation into a highly active cybercrime group.
The government’s formal response and ongoing proceedings were not immediately available for comment at the time of the report.

The Scattered Spider Cybercrime Collective

Also known by several aliases, including 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra, the group emerged in 2022 as a loosely organized crime network.
Composition: a large share of members are teenagers or young adults from the United States and the United Kingdom.
Core modus operandi:
Social engineering to manipulate targets into revealing credentials.
MFA fatigue or MFA bombing strategies to overwhelm multi-factor authentication protections.
SMS-based credential phishing to capture login information and sensitive data.
Historical footprint: the collective has targeted numerous high-profile organizations and sectors, leveraging stolen data to demand ransoms or leverage extortion.

Notable Victims and Breaches Attributed to the Group

Caesars Entertainment and MGM Resorts in the hospitality and gaming sector.
Riot Games, the online game developer, facing ransom demands linked to the breach.
MailChimp, the email marketing service, after a breach affecting employees.
Twilio and related affiliates, in a wave of intrusions impacting hundreds of organizations.
DoorDash, Reddit, and Allianz Life, among others, with varied ransom and disruption outcomes.
UK retailers such as Co-op, Marks & Spencer (M&S), and Harrods, cited in the broader pattern of targeted attacks.
WestJet and Jaguar Land Rover (JLR) as additional high-profile examples of the group’s reach.
In each case, hackers often claimed substantial data exfiltration and demanded multimillion-dollar ransoms; many victims incurred substantial remediation costs even when ransoms were not paid.

Recent Legal Milestones Within the Group

Earlier this month, a 24-year-old identified as a leading figure within Scattered Spider pleaded guilty in the United States to wire fraud and aggravated identity theft.
The case context includes ongoing international law enforcement efforts to dismantle the network and prosecute participants across borders.
These developments underscore a pattern of aggressive online extortion and cross-border cybercrime activity associated with the group.

Operational Context and FBI/DOJ Perspective

Authorities describe Scattered Spider as a financially motivated crime ring that blends social engineering with digital credential theft to maximize extortion leverage after compromising corporate networks.
The FBI has highlighted the group’s tactics, including targeted MFA disruption and SMS phishing campaigns, as central to their attack playbook.
The victims span hospitality, technology, retail, media, and transportation sectors, illustrating the broad commercial impact of the group’s criminal activity.

Timeline of Key Events (Condensed)

2022: Scattered Spider emerges as a loosely organized network, attracting a wave of teenage and young adult participants.
2023–2025: Multiple breaches attributed to the group surface, including incidents affecting online platforms, gaming, and enterprise services.
May 2025: A notable breach involving a luxury retailer and leadership-style social engineering leads to significant access gains and ransom discussions.
December 2025: A six-count, sealed complaint outlines the group’s alleged involvement in four major breaches, with extortion attempts tied to large ransom demands.
April 10, 2026: A 19-year-old suspect linked to the group is arrested at Helsinki Airport while attempting to fly to Japan.
April 28, 2026: U.S. federal charges and cross-border investigations continue to unfold, with authorities seeking to hold participants accountable.

What This Case Illustrates About Modern Cybercrime

Cross-border operations: The arrest underscores how cybercrime networks operate across multiple countries, leveraging international travel and digital anonymity.
The economics of extortion: The repeated pattern of ransom demands (including multi-million-dollar figures) and costly remediation for victims reflects a mature, financially driven model.
Youthful participation: The involvement of young people in sophisticated intrusions highlights the ongoing challenge of securing networks against determined, well-coordinated intruders.
The value of takedown efforts: Coordinated actions by federal authorities and international law enforcement illustrate the increasing effectiveness of multijurisdictional investigations in dismantling online crime networks.

Quick Reference: Key Figures and Terms

Bouquet: Online alias used by the primary suspect in the Finland arrest.
Scattered Spider (aka 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, Muddled Libra): The loosely organized cybercrime collective implicated in multiple breaches and extortion schemes.
Wire fraud, conspiracy, computer intrusion: The central charges cited in U.S. federal proceedings.
MFA bombing / MFA fatigue: Tactics used to overwhelm multi-factor authentication defenses.
Ransom demand patterns: Claimed data exfiltration volumes and monetary targets, with varying compliance outcomes by victims.

Closing Overview

The Finland arrest ties into an ongoing U.S. federal case against a young member of Scattered Spider, marking another milestone in the global effort to curb high-profile cybercrime networks.
The broad array of victims and the sophisticated blend of social engineering with technical breaches illustrate the persistent and evolving threat landscape facing modern enterprises.
As investigations continue, authorities aim to build a cohesive narrative linking cross-border actors to a network capable of generating substantial financial disruption and reputational harm for a wide range of organizations.

US reportedly charges Scattered Spider hacker arrested in Finland

Related Posts

Ukrainian national pleads guilty to role in Conti ransomware operation

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Get the next deep dive in your inbox

Stay Updated

Early Warning Signs of Supply-Chain Attacks Live in the Dark Web

Microsoft says bug in classic Outlook hides the mouse pointer

Product

Learn

Company

Legal

Stay Updated

Browse by Category

What's New