The use of a Windows device identifier played a pivotal role in tracing and apprehending a member of the notorious Scattered Spider hacking group. This development highlights how persistent device telemetry can unmask even sophisticated cybercriminals, as revealed in the recent indictment of Peter Stokes.
Windows Device Identifier Central to Hacker’s Arrest
On April 10, 2026, Peter Stokes, a 19-year-old dual citizen of the United States and Estonia, was detained in Finland while preparing to board a flight to Japan. He was carrying two two-terabyte hard drives at the time of his arrest. Stokes, who used aliases such as “Bouquet,” “Spencer,” and “Jordan,” is accused by US prosecutors of being an active member of Scattered Spider, also tracked as Octo Tempest, UNC3944, and 0ktapus.
Scattered Spider is a prolific threat group linked to over 100 cyber intrusions and more than $100 million in ransom payments. Stokes was extradited to the United States under an Interpol Red Notice and now faces charges of conspiracy, computer intrusion, and fraud in the Northern District of Illinois. The evidence used to unmask and connect Stokes to these crimes is notable for its reliance on a Microsoft Global Device Identifier (GDID).
How the Microsoft Global Device Identifier Unmasked the Suspect
According to federal court documents, investigators used a Microsoft GDID to break through the operational security measures employed by Stokes. The GDID is a unique code embedded in every Windows installation. It serves several purposes, including diagnostic telemetry, crash reporting, and license verification. Its persistence means that it remains constant even if a user attempts to evade detection by changing IP addresses or using proxies.
The arrest followed a 2025 cyberattack on a major luxury retailer, referred to as “Company F.” This attack began on May 12, 2025, with a series of voice-phishing calls to the retailer’s IT help desk. Attackers impersonated legitimate employees to request multi-factor authentication (MFA) resets. Within hours, they compromised three accounts, including two with high-level IT administrative privileges.
- Date of initial breach: 12 May 2025
- Target: Multinational luxury retailer (“Company F”)
- Attack vector: Voice phishing (vishing) to IT help desk
- Compromised accounts: Three (including two IT administrators)
- Malicious tools: ngrok tunnelling, Teleport.sh, Amazon S3 for data exfiltration
- Ransom demand: $8 million (unpaid)
Following successful account compromise, the attackers downloaded and executed the ngrok agent on a Company F virtual server. This created an encrypted tunnel, allowing them to bypass perimeter security controls. The ngrok account was created at 19:21 UTC on 12 May 2025, using a VPN proxy hosted in Mount Prospect, Illinois. Over 77 GB of sensitive data was exfiltrated using Teleport.sh and Amazon S3 storage solutions. A subsequent ransomware deployment was attempted but ultimately thwarted, leading to an $8 million extortion attempt that failed.
Technical Timeline and Forensic Linkages
Microsoft’s telemetry logs showed that the device carrying the GDID accessed the ngrok signup page at the precise minute the malicious account was created. The same device, using the same proxy IP, was later observed accessing Company F’s website. This provided a strong technical linkage between the attack infrastructure and Stokes’ device.
Forensic analysis did not stop there. Investigators correlated the GDID’s IP address usage with accounts known to belong to Stokes. These included Apple, Snapchat, Facebook, and even gaming platforms such as Ubisoft’s Growtopia. The overlap of the same GDID appearing on both personal and attack-related accounts, often from IPs geolocated to Tallinn, Estonia, made the link between Stokes and the Scattered Spider attacks irrefutable.
- GDID observed on ngrok account creation
- GDID matched with Company F’s web portal access
- Correlated with personal accounts (Apple, Snapchat, Facebook)
- Consistent IP geolocation to Tallinn, Estonia
Ultimately, this combination of technical evidence and careful IP tracking provided the basis for Stokes’ arrest and the robust case against him.
Why Persistent Device Identifiers Matter for Cyber Investigations
The use of a persistent device identifier, such as the Microsoft GDID, demonstrates the value and risk of built-in telemetry in modern operating systems. While these identifiers help vendors deliver updates and verify licences, they can also serve as powerful forensic tools for law enforcement when tracking sophisticated threat actors.
In this case, the GDID’s durability outlasted the suspect’s efforts to remain anonymous through VPNs and proxies. It allowed investigators to tie together disparate activities across multiple platforms and accounts, ultimately leading to a successful arrest and indictment.
Key Security Lessons for Organisations
This event reinforces several active techniques that organisations should employ to defend against similar attacks:
- Implement strict help desk identity verification, especially for MFA resets
- Use conditional access policies to restrict administrative actions
- Monitor for tunnelling and unexpected outbound connections (such as ngrok)
- Enforce controls on data exfiltration destinations
By learning from the technical details of this case, businesses can strengthen their defences against advanced social engineering and post-compromise activity.
Originally reported by cybersecuritynews.com.







