Full Report
A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective. [...]
Analysis Summary
# Threat Actor: Bouquet (Scattered Spider)
## Attribution & Identity
* **Actor Name:** Bouquet
* **Legal Identity:** 19-year-old dual United States and Estonian citizen (arrested April 10, 2026, in Finland).
* **Associated Groups:** Scattered Spider (also known as 0ktapus, Scatter Swine, Octo Tempest, Starfraud, and Muddled Libra).
* **Associated Individuals:** Tyler Robert Buchanan (alleged leader).
* **Group Profile:** A loosely knit hacking collective primarily composed of teenagers and young adults based in the U.S. and Great Britain.
## Activity Summary
Bouquet is alleged to be a prolific member of the Scattered Spider collective, involved in high-stakes extortion campaigns since at least 2023. Recent activities include:
* **March 2023:** Breach of an online communication platform (conducted when the actor was 16).
* **May 2025:** Breach of a multibillion-dollar "luxury item retailer" involving the theft of 100GB of data and an $8 million ransom demand.
* **April 2026:** Arrested by Finnish authorities while attempting to flee to Japan; currently facing six federal counts in the U.S., including wire fraud and computer intrusion.
## Tactics, Techniques & Procedures
* **Social Engineering:** Posing as employees during calls to corporate IT helpdesks to initiate password resets.
* **Credential Access:** Resetting authentication credentials and targeting administrator accounts.
* **MFA Fatigue/Bombing:** Spamming targets with multi-factor authentication requests until they approve access.
* **SMS Phishing:** Sending fraudulent texts to steal credentials (Smishing).
* **Data Exfiltration for Extortion:** Stealing sensitive documents and data (e.g., 100GB from a single victim) to leverage for ransom payments.
* **Ransomware/Encryption:** Usage of ransomware (notably against MGM Resorts).
**MITRE ATT&CK IDs (Inferred from context):**
* T1566.002 - Phishing: Spearphishing Link (SMS)
* T1621 - Multi-Factor Authentication Request Generation (MFA Fatigue)
* T1078 - Valid Accounts (Helpdesk social engineering)
* T1486 - Data Encrypted for Impact
* T1659 - Content Impersonation
## Targeting
* **Sectors:** Hospitality/Casinos, Gaming, Technology/Software, Retail (Luxury Goods), Telecommunications, Aviation, and Finance.
* **Geography:** Global footprint with a focus on organizations in the United States, Great Britain, Canada, and Europe.
* **Victims:**
* **Named:** Caesars, MGM Resorts, Riot Games, MailChimp, Twilio, DoorDash, Reddit, Allianz Life, Co-op, Marks & Spencer (M&S), Harrods, WestJet, and Jaguar Land Rover (JLR).
* **Unnamed:** A multibillion-dollar luxury item retailer and an online communication platform.
## Tools & Infrastructure
* **Malware:** Ransomware (various families including BlackCat/ALPHV associations), credential harvesters.
* **Tactics-based Infrastructure:**
* Phishing domains (targeting Okta/SSO portals).
* Social engineering via VoIP or mobile telephony (SIM swapping).
* *Note: Specific defanged IPs/URLs were not provided in the source text.*
## Implications
The arrest of "Bouquet" highlights the persistent threat posed by young, highly skilled social engineers who can bypass sophisticated technical defenses (like MFA) through human-centric attacks. Scattered Spider’s ability to cause millions of dollars in disruption—even when ransoms are not paid—demonstrates a high level of operational maturity despite the group's "loosely knit" nature. This case underscores the increasing international cooperation between the FBI and Finnish law enforcement in tracking decentralised cybercrime cells.
## Mitigations
* **Helpdesk Security:** Implement strict identity verification protocols for password resets and MFA credential updates (e.g., requiring manager approval or video verification).
* **Phishing-Resistant MFA:** Transition from SMS or push-based MFA to FIDO2-compliant hardware security keys to prevent MFA bombing and interception.
* **Employee Awareness:** Specialized training for IT and Helpdesk staff to recognize sophisticated social engineering and "vishing" (voice phishing) attempts.
* **Least Privilege:** Restrict administrator account access and monitor for unusual activity in SSO (Single Sign-On) environments like Okta.