Windows Device ID Used to Apprehend Scattered Spider Cybercriminal
Key Takeaways A Microsoft Global Device Identifier (GDID), a persistent and unique Windows installation code, was instrumental in identifying and apprehending an alleged member of the Scattered...
Key Takeaways
- A Microsoft Global Device Identifier (GDID), a persistent and unique Windows installation code, was instrumental in identifying and apprehending an alleged member of the Scattered Spider cybercrime group.
- Peter Stokes, 19, a dual U.S.-Estonian citizen, was arrested in Finland on April 10, 2026, and faces charges related to computer intrusion, wire fraud, and conspiracy.
- The GDID, used by Microsoft for telemetry and licensing, allowed investigators to link the suspect’s personal online activities to the infrastructure used in a major cyberattack against a luxury retailer.
- This case highlights how endpoint identifiers can undermine operational security even when threat actors employ VPNs and other anonymity tools.
Cybercriminal Unmasked: Microsoft Device ID Leads to Scattered Spider Arrest
A unique identifier embedded within Windows operating systems has played a pivotal role in exposing the alleged identity of a prominent Scattered Spider cybercriminal. Federal prosecutors in the Northern District of Illinois have leveraged this persistent Microsoft device ID to tie Peter Stokes, a 19-year-old with dual U.S. and Estonian citizenship, to a series of high-profile cyber intrusions.
Table Of Content
Stokes, known by online monikers such as “Bouquet,” “Spencer,” and “Jordan,” was apprehended on April 10, 2026, in Finland while attempting to board a flight to Japan. Upon his detention, authorities discovered he was carrying two two-terabyte hard drives. He is currently awaiting extradition to the United States, where he faces charges under the Computer Fraud and Abuse Act, alongside counts of wire fraud and conspiracy.
Prosecutors allege that Stokes is an active member of the notorious Scattered Spider group, also tracked by security researchers as Octo Tempest, UNC3944, and 0ktapus. This sophisticated threat actor collective has been implicated in over 100 intrusions, resulting in more than $100 million in ransom payments. Following an Interpol Red Notice, Stokes was extradited to the U.S. and is now confronting federal charges in the Northern District of Illinois for conspiracy, computer intrusion, and fraud.
The Role of the Microsoft Global Device Identifier (GDID)
Court documents reveal that a Microsoft Global Device Identifier (GDID) was central to dismantling Stokes’s anonymity. A GDID is a distinct code assigned to every Windows installation, which Microsoft utilizes for various internal functions, including diagnostic telemetry, crash reporting, analysis of feature usage, and license verification. Its inherent durability means that even significant hardware changes can sometimes lead to Windows activation revocation.
This persistence ultimately compromised the alleged operator’s operational security. The complaint details an intrusion at “Company F,” a multi-billion-dollar luxury retailer, which commenced on May 12, 2025. The attack initiated with voice-phishing calls targeting the company’s IT help desk. Threat actors successfully impersonated employees, manipulated multi-factor authentication (MFA) resets, and gained unauthorized access to three accounts within a mere two to three hours, including two highly privileged IT administrator accounts.
Subsequently, the attackers deployed and executed an ngrok agent on a virtual server belonging to Company F. This action established an encrypted tunnel, effectively circumventing the company’s perimeter defenses. Investigators linked the ngrok account, created at 19:21 UTC on May 12, to the IP address 68.235.46.168, which corresponds to a Tzulo-hosted VPN proxy located in Mount Prospect, Illinois.
Data exfiltration was carried out using Teleport.sh and Amazon S3, with at least 77 GB of sensitive information ultimately stolen. This was followed by an attempted ransomware deployment and an $8 million extortion demand, which the company ultimately refused to pay.
Microsoft records demonstrated that the device associated with the GDID accessed ngrok’s signup page at the precise minute the account was created. Later, the same device was observed browsing Company F’s website via the identical .168 proxy. The FBI then cross-referenced the GDID’s historical IP data with a range of online accounts known to belong to Stokes, including those on Apple, Snapchat, Facebook, and even a Ubisoft/Growtopia game login.
The forensic analysis revealed highly specific overlaps. The same device and personal accounts appeared on identical IP addresses geolocated in Tallinn, Estonia; New York; and Thailand. These locations meticulously matched Stokes’s official State Department travel records and his own social media posts from various luxury hotels. While the VPN successfully obscured the network endpoint, the unique Windows installation identifier remained constant, providing a critical thread for investigators.
This case serves as a stark reminder that anonymity solutions primarily secure the network layer, not necessarily the endpoint itself. There is currently no publicly available, comprehensive Microsoft policy detailing the circumstances under which GDID data is shared with law enforcement, nor is there a known consumer opt-out mechanism or a transparency report specifically detailing GDID disclosures.
What You Should Do
- Implement robust multi-factor authentication (MFA) across all accounts, especially for privileged access, and ensure strict policies for MFA reset procedures.
- Conduct regular security awareness training for all employees, focusing on social engineering tactics like voice phishing and impersonation.
- Monitor network traffic for unusual activity, including connections to unauthorized external services like ngrok, which can indicate a breach or insider threat.
- Regularly audit and review logs from endpoints, VPNs, and cloud services for suspicious behavior or unauthorized data transfers.
- Maintain strict access controls and the principle of least privilege for all user accounts, particularly for IT administrators.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.