Alleged Hacker Linked to High-Profile Jewelry Store Breach
U.S. prosecutors have identified a 19-year-old Estonian-American hacker as a key player in a breach at a luxury jewelry retailer, utilizing a persistent Windows device ID to track his activities during the incident. This information emerged from a recently unsealed federal complaint that reveals intricate details about the cyber intrusion, which occurred in May 2025.
The complaint indicates that investigators traced an enduring device identifier back to the specific account used by the attackers to maintain access during the breach. The perpetrator, identified as Peter Stokes and known online by the alias “Bouquet,” has been charged with conspiracy, computer intrusion, and fraud. Stokes was extradited from Finland and made his initial court appearance in Chicago on June 30, where he is presumed innocent until proven guilty.
The attackers exploited the retailer’s IT help desk by impersonating locked-out employees through Google Voice numbers. They persuaded staff to reset passwords and reconfigure mobile devices associated with multi-factor authentication. This strategy allowed them to gain control over three accounts—two linked to IT administrators. Subsequently, they employed tunneling tools like ngrok and Teleport to exfiltrate at least 77 gigabytes of data to Amazon cloud storage.
Despite their efforts to deploy ransomware, the retailer’s security team successfully thwarted the attack, leading to their eviction from the network. The assailants proceeded to send a ransom email, demanding $8 million in cryptocurrency, but the company opted not to pay. Still, the disruption caused by the breach resulted in significant costs—estimated at around $2 million—covering investigation and recovery efforts.
This incident exemplifies a broader trend in cyberattacks where human exploitation, rather than software vulnerabilities, remains a prevalent threat. The investigation highlighted that solid identity verification protocols are critical; processes such as callback verification to known numbers, managerial sign-offs, and advanced video checks for privileged accounts could be crucial in mitigating such breaches. Additionally, implementing phishing-resistant multi-factor authentication methods could help fortify defenses against similar tactics.
The successful tracking of Stokes can largely be attributed to the device’s unique identifier, which is described by Microsoft as a persistent marker linked to specific Windows installations. The device that opened the ngrok account reportedly visited the retailer’s website via the same proxy shortly after the account was created. Moreover, investigators linked the device’s location history to social media accounts owned by Stokes, further corroborating his involvement.
While the arrest of Stokes represents a significant achievement for law enforcement, experts caution that it may not subdue the broader threats posed by the collective known as Scattered Spider. Research from cybersecurity firm Group-IB suggests that this organization functions more like a loose network of independent cells rather than a single hierarchical entity, making it resilient to such arrests. Prosecutors have attributed over 100 intrusions and more than $100 million in ransom demands to this loosely connected group.
The recent actions against Scattered Spider reflect a wider pattern of isolated arrests within this expansive network. Previous prosecutions have targeted individuals tied to similar schemes, emphasizing the ongoing nature of the threat landscape. As the investigation continues, the need for robust cybersecurity protocols and a unified approach to defense against advanced persistent threats becomes increasingly apparent. The materials recovered from Stokes, including hard drives seized during his arrest, could provide valuable insights into the mechanics of these operations and possibly expose further connections within the network.