A 19-year-old dual United States and Estonian citizen, operating under the alias "Bouquet," is facing federal wire fraud, conspiracy, and computer intrusion charges in the U.S. for his alleged role as a prolific member of the Scattered Spider cybercrime collective. According to temporarily unsealed court records obtained by the Chicago Tribune, the suspect was arrested at Helsinki's airport on April 10, 2026 while attempting to board a flight to Japan, and is tied to at least four breaches that extorted millions from large corporations worldwide.

What Happened

Finnish law enforcement detained the suspect on April 10, 2026 as he attempted to board a flight to Japan from Helsinki's airport. A six-count federal complaint, originally filed under seal in December 2025, was temporarily unsealed and reviewed by the Chicago Tribune. Prosecutors allege Bouquet participated in at least four Scattered Spider intrusions dating back to March 2023, when he was just 16 years old and allegedly helped breach an online communication platform. The arrest follows the recent guilty plea of 24-year-old Tyler Robert Buchanan, believed to be one of the group's leaders, signaling a sustained international effort to dismantle the collective's operational core.

What Was Taken

The complaint highlights a May 2025 intrusion against an unnamed multibillion-dollar luxury item retailer in which the threat actors claimed to have exfiltrated 100 gigabytes of corporate data. The group issued an $8 million ransom demand against that single victim. Even though the retailer refused to pay, it still absorbed more than $2 million in disruption and remediation costs. Across the four charged incidents, prosecutors say victim companies were forced to pay millions of dollars in ransoms, with stolen data reportedly including credentials, internal documents, and other sensitive corporate information used as extortion leverage.

Why It Matters

This case underscores three critical realities for defenders. First, Scattered Spider's bench is deep and young: members like Bouquet were active in major intrusions as minors, complicating prosecution and indicating a pipeline of English-speaking, socially fluent operators that traditional threat models underestimate. Second, international cooperation is closing the net, with arrests in the UK, U.S., Spain, and now Finland demonstrating that border-hopping is no longer a reliable evasion strategy. Third, the group's victim list, which now includes Caesars, MGM Resorts, Twilio, Allianz Life, Marks & Spencer, Co-op, Harrods, WestJet, and Jaguar Land Rover, shows that no vertical is off-limits and that the collective's tradecraft remains effective despite years of public exposure.

The Attack Technique

Scattered Spider's playbook relies overwhelmingly on human-layer compromise rather than novel exploits. In the May 2025 luxury retailer breach attributed in part to Bouquet, the actors called the victim's IT helpdesk while impersonating employees, convinced support staff to reset authentication credentials, and then escalated into administrator accounts. This pattern, combined with MFA fatigue (push bombing), SIM swapping, and SMS credential phishing, has remained the group's signature since it surfaced in 2022 under aliases including 0ktapus, Octo Tempest, UNC3944, and Muddled Libra. Once inside, operators move laterally to identity providers and cloud admin consoles, exfiltrate data for double-extortion leverage, and frequently deploy ransomware affiliates such as ALPHV/BlackCat or DragonForce to maximize pressure.

What Organizations Should Do

Sources: US reportedly charges Scattered Spider hacker arrested in Finland