Windows Device Identifier Feature Leads to Arrest of Scattered Spider Hacking Group Member

Windows Device Identifier Feature Leads to Arrest of Scattered Spider Hacking Group Member










A persistent Microsoft device identifier was used to unravel the anonymity of an alleged Scattered Spider operator, according to a federal superseding complaint filed in the Northern District of Illinois.

Peter Stokes, 19, a dual U.S.–Estonian citizen who allegedly used the handles “Bouquet,” “Spencer,” and “Jordan,” was arrested in Finland on April 10, 2026, while attempting to board a flight to Japan.

When detained, he was carrying two two-terabyte hard drives, according to the filing. He is being held pending extradition and faces charges under the Computer Fraud and Abuse Act, as well as wire fraud and conspiracy counts.

Prosecutors allege he is a member of Scattered Spider also tracked as Octo Tempest, UNC3944, and 0ktapus a group linked to more than 100 intrusions and over $100 million in ransom payments.

He was extradited to the United States pursuant to an Interpol Red Notice and now faces federal charges in the Northern District of Illinois for conspiracy, computer intrusion, and fraud.

Microsoft Global Device Identifier Used to Unmask

Court documents reveal that a Microsoft Global Device Identifier, or GDID, was central to unmasking Stokes. A GDID is a unique code embedded in every Windows installation, used by Microsoft for diagnostic telemetry, crash reporting, feature-usage analysis, and license verification, which is why swapping a major hardware component can sometimes revoke a Windows activation.

That durability undermined the operator’s operational security. According to the complaint, the intrusion at “Company F,” a multibillion-dollar luxury retailer, began on May 12, 2025, with voice-phishing calls to the IT help desk.

(Source: DoJ)

Threat actors impersonated employees, triggered MFA resets, and compromised three accounts, including two high-privilege IT administrator accounts, within two to three hours.

The attackers then downloaded and executed an ngrok agent on a Company F virtual server, opening an encrypted tunnel to bypass perimeter defenses. Investigators tied the ngrok account, created May 12 at 19:21 UTC, to IP address 68.235.46.168, a Tzulo-hosted VPN proxy in Mount Prospect, Illinois.

Data was ultimately exfiltrated using Teleport.sh and Amazon S3, totaling at least 77 GB, followed by a thwarted ransomware deployment and an $8 million extortion demand that went unpaid.

Microsoft records placed the device carrying the GDID on ngrok’s signup page at the exact minute the account was created, and later browsing Company F’s website through the same .168 proxy. From there, the FBI correlated the GDID’s IP history against accounts known to belong to Stokes: Apple, Snapchat, Facebook, and even a Ubisoft/Growtopia game login.

Court Documents (Source: DoJ)

The overlaps were specific. The same device and the same personal accounts surfaced on identical IPs geolocated to Tallinn, Estonia; New York; and Thailand, each matching Stokes’s State Department travel records and his own social-media posts from luxury hotels. The VPN masked the network endpoint, but the Windows installation identifier did not rotate with it.

The case is a reminder that anonymity infrastructure protects the network layer, not the endpoint. There is no published, comprehensive Microsoft policy detailing when GDID data gets shared with law enforcement, no known consumer opt-out mechanism, and no transparency report that specifically breaks out GDID disclosures.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post Windows Device Identifier Feature Leads to Arrest of Scattered Spider Hacking Group Member appeared first on Cyber Security News.






Guru Baran





Go to cyber-security-news





Posted

in

,

by