A 10-Minute Phone Call Took Down MGM’s Systems. The 19-Year-Old Behind a Similar Scheme Just Got Extradited.
By Alex
Peter Stokes is 19 years old, holds dual US and Estonian citizenship, and was arrested in Finland this past April on an Interpol Red Notice. He was extradited to the United States and made his first federal court appearance in Chicago, charged with conspiracy, cyber intrusion, and fraud. Prosecutors allege he’s a member of Scattered Spider — a hacking collective tied to more than 100 network intrusions, over $100 million in ransom payments, and a body of technique that has almost nothing to do with sophisticated malware and almost everything to do with a convincing phone call.
The specific case against Stokes involves a luxury jewelry retailer, breached and held for an $8 million cryptocurrency ransom demand in May 2025. The retailer’s security team evicted the attackers and refused to pay — a genuine defensive win — and still ended up out at least $2 million in business disruption, investigation, and cleanup costs. That gap, between “we didn’t pay the ransom” and “we still lost millions,” is the part worth sitting with before getting to how these attacks actually work.
The Method: No Exploit Required

Scattered Spider’s signature technique, most visibly demonstrated in the 2023 MGM Resorts breach, doesn’t involve a software vulnerability at all. Attackers used LinkedIn to identify a real MGM employee, then called the company’s IT help desk impersonating that person. The call lasted ten minutes. By the end of it, the caller had convinced a help desk technician to reset credentials and hand over enough access to reach administrator privileges inside MGM’s Okta and Azure tenant environments — the identity and cloud infrastructure controlling access to practically everything else.
No phishing email had to be clicked. No malware had to execute. The entire attack surface was a help desk employee’s judgment call about whether the person on the phone was who they claimed to be, under time pressure, sounding plausible, with just enough real personal detail (gathered beforehand from social media and public business directories) to pass a casual identity check.
The group runs this as a repeatable process, not an improvised trick: open-source reconnaissance across social media and B2B platforms to build a convincing identity profile, layered phone calls to learn an organization’s specific password-reset procedures, and then a final spearphishing call — often to the help desk directly — engineered to get a password reset or an MFA token transferred to a device the attacker controls. At Caesars Entertainment, the group took a related but distinct path in, compromising a third-party IT support vendor rather than calling Caesars directly, stealing loyalty-program data, and prompting Caesars to pay a $15 million ransom rather than risk a broader leak.
Why This Keeps Working

None of these techniques are secret. CISA has published advisories on Scattered Spider’s methods since 2023. The MGM and Caesars breaches were extensively covered, picked apart in postmortems, and used as case studies in security training programs industry-wide. And the group’s next reported victim, per the Stokes complaint, still lost $2 million in May 2025 — two years after the technique became public knowledge.
That persistence points to something less fixable than a single patch or awareness campaign: identity verification at a help desk is fundamentally a human judgment problem, layered on top of a structural incentive problem. Help desk staff are measured and often compensated on resolution speed and caller satisfaction, not on how many legitimate callers they inconvenienced by insisting on rigorous verification. An attacker exploiting that dynamic isn’t finding a bug in the software — they’re finding the gap between “verify this caller’s identity thoroughly” and “resolve this ticket quickly,” and organizations that don’t explicitly resolve that tension in favor of verification keep landing in exactly this spot.
What Actually Closes the Gap
The defensive lesson from four-plus years of Scattered Spider incidents isn’t a firewall rule or an endpoint detection product — it’s identity verification procedure that doesn’t rely on the help desk employee’s on-the-spot judgment at all. Callback verification to a number already on file rather than one the caller provides, mandatory in-person or video identity checks for privileged account resets, and removing help desk agents’ ability to unilaterally reset MFA for high-privilege accounts without a second approval all directly target the exact step in the process that worked against MGM, and that Stokes is now accused of using against a jewelry retailer two years later.
Extraditing one 19-year-old doesn’t retire a technique that keeps succeeding regardless of who’s executing it. The jewelry retailer in the Stokes case did the technically right thing — refused to pay, evicted the attackers — and still absorbed a seven-figure loss. The organizations that avoid becoming the next case study are the ones that closed the actual gap Scattered Spider exploits, not the ones waiting for the next arrest to feel like closure.
- On June 23, 2026
- 0 Comment
