Scattered Spider Hacker Arrested in Finland Faces U.S. Charges for Multi‑Million Dollar Extortion Campaigns
What Happened – A 19‑year‑old dual U.S./Estonian citizen, known online as “Bouquet,” was detained by Finnish authorities at Helsinki Airport and is now charged in the United States with wire fraud, conspiracy, and computer intrusion for his role in Scattered Spider’s extortion operations. Prosecutors allege he helped steal and ransom data from multiple global corporations, demanding up to $8 million and causing millions in remediation costs.
Why It Matters for TPRM –
- The actor targeted a wide range of high‑profile vendors, demonstrating the breadth of risk posed by a single threat‑actor across sectors.
- Scattered Spider’s tactics (MFA‑bombing, SMS phishing, social engineering) bypass traditional perimeter controls, highlighting gaps in credential‑security programs.
- Ongoing investigations may surface additional victim disclosures, increasing exposure for third‑party supply chains.
Who Is Affected – Hospitality & gaming (Caesars, MGM Resorts), technology & SaaS (MailChimp, Twilio, Reddit), retail & luxury (Marks & Spencer, Harrods, Jaguar Land Rover), logistics & travel (WestJet), financial services (Allianz Life) and others.
Recommended Actions –
- Review all third‑party contracts for clauses addressing credential‑theft and extortion.
- Verify that vendors enforce MFA with anti‑fatigue controls and monitor for anomalous authentication attempts.
- Conduct a focused threat‑intel review on Scattered Spider TTPs and update incident‑response playbooks accordingly.
Technical Notes – The group leverages MFA‑bombing, SMS credential phishing, and help‑desk impersonation to harvest privileged credentials, then exfiltrates data (often > 100 GB) for ransom. No specific CVE is cited; the attack surface is primarily human‑factor weaknesses. Source: BleepingComputer