Windows Device Identifier Helped FBI Trace Alleged Scattered Spider Member
A persistent Windows device identifier helped federal investigators connect an alleged Scattered Spider member to a 2025 intrusion at a luxury jewelry retailer, according to a superseding criminal complaint filed in the Northern District of Illinois.
The case centers on Peter Stokes, a 19-year-old dual U.S. and Estonian citizen accused of participating in Scattered Spider activity under handles including “Bouquet” and “Jordan.” The Justice Department said Stokes was arrested in Finland in April 2026 under an Interpol Red Notice and extradited to the United States to face conspiracy, computer intrusion, and fraud charges.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The newly detailed tracking element is a Microsoft Global Device Identifier, or GDID. In the superseding complaint, an FBI agent says Microsoft records linked the GDID to the ngrok account used during the retailer breach, and then to IP activity associated with accounts prosecutors attribute to Stokes.
What the Windows GDID showed investigators
The complaint says the ngrok account used in the Company F intrusion was created on May 12, 2025, at 19:21 UTC from an IP address ending in .168. That IP address was assigned to a VPN proxy service hosted by Tzulo in Mount Prospect, Illinois.
According to Microsoft records cited in the filing, the same Windows GDID accessed the ngrok signup page at the same minute the ngrok account was created. The device later visited the victim company’s website from the same .168 proxy address.
The Hacker News reported that Microsoft described the GDID in the complaint as a persistent identifier tied to one Windows installation. The identifier can remain stable across Windows operating system updates, but a Windows reinstall creates a new GDID.
| Detail | What prosecutors allege |
|---|---|
| Suspect | Peter Stokes, 19, dual U.S. and Estonian citizen |
| Alleged group | Scattered Spider, also tracked as Octo Tempest, UNC3944, and 0ktapus |
| Arrest | April 10, 2026, in Finland while attempting to board a flight to Japan |
| Victim in key incident | Company F, described as a luxury jewelry retailer |
| Intrusion window | May 12 to May 15, 2025 |
| Data stolen | At least 77 GB, according to the complaint |
| Ransom demand | About $8 million in cryptocurrency |
| Payment status | No ransom was paid, according to DOJ |
How the Company F intrusion unfolded
The intrusion began with phone-based social engineering. The complaint says the attackers used two Google Voice numbers to call the company’s IT help desk while pretending to be employees.
They asked the help desk to reset authentication credentials, including passwords and mobile devices used for multifactor authentication. Within about two to three hours, the attackers allegedly compromised three user accounts, including two belonging to IT administrators.
The CISA Scattered Spider advisory describes this as a known pattern for the group: using voice communications to persuade help desk staff to reset passwords or MFA tokens for targeted accounts.
- The attackers used Google Voice numbers to contact the help desk.
- They impersonated employee users and requested credential resets.
- They compromised three accounts in two to three hours.
- Two compromised users had access to high-privilege IT administrator accounts.
- The attackers then used those accounts to reach systems controlling virtual servers and cloud computing.
Ngrok, Teleport.sh, and Amazon S3 were used in the attack
After gaining privileged access, the attackers used ngrok to create a tunnel into the Company F data center. The complaint says the ngrok agent was installed on a company virtual server and used to establish persistent unauthorized access.
The attackers later used Teleport.sh and Amazon S3 to exfiltrate data. The filing says at least 77 GB of data was stolen, including OneDrive files, Microsoft Active Directory data, and Microsoft Operations Management Suite data.
According to The Record, the retailer did not pay the $8 million demand, but the company still suffered about $2 million in disruption, investigation, and mitigation costs.
| Tool or service | Alleged role in the intrusion |
|---|---|
| Google Voice | Used for help desk phishing calls |
| ngrok | Used to create secure tunnels and maintain unauthorized access |
| Teleport.sh | Used as part of the remote access and data exfiltration workflow |
| Amazon S3 | Used to store or transfer exfiltrated data |
| Microsoft records | Used to connect a Windows GDID to the ngrok signup activity |
How the GDID led back to personal accounts
The GDID did not identify a person by itself. Investigators used it as one signal in a larger correlation chain.
The complaint says the same GDID appeared on IP addresses that also accessed accounts prosecutors say belonged to Stokes, including Snapchat, Facebook, Apple, and Ubisoft or Growtopia-related accounts. Those overlaps appeared across Tallinn, New York, and Thailand.
The court filing says those locations matched State Department travel records and Snapchat posts, including images from luxury hotels. Investigators also cited an online game login from the same Tallinn IP address used by Apple, Snapchat, Facebook, and Ubisoft account activity.
- Investigators identified the ngrok account used in the Company F intrusion.
- ngrok records tied the account creation to a VPN proxy IP address.
- Microsoft records tied the ngrok signup activity to a Windows GDID.
- The same GDID later appeared with IP addresses linked to personal accounts.
- Those IP locations aligned with travel records and social media posts.
- Investigators used the combined evidence to support probable cause.
Why Scattered Spider relies on help desk attacks
Scattered Spider has built many attacks around identity abuse rather than software exploits. The group often targets human processes such as password resets, MFA enrollment, and help desk verification.
Microsoft tracks the group as Octo Tempest. In a Microsoft Security Blog analysis, the company described Octo Tempest as a financially motivated threat actor that uses broad social engineering campaigns, credential theft, SIM swapping, and extortion.

That approach can bypass strong technical controls if identity recovery workflows remain weak. An attacker does not need to break MFA cryptography if a help desk can be convinced to reset MFA for an attacker-controlled device.
The broader Scattered Spider case
The Justice Department says Scattered Spider has been linked to more than 100 network intrusions and more than $100 million in ransom payments, with additional victim losses. The group has also been tracked as Octo Tempest, UNC3944, and 0ktapus.
The DOJ announcement says Stokes made his initial appearance in federal court in Chicago and was ordered to remain in law enforcement custody. The charges are allegations, and Stokes is presumed innocent unless proven guilty.
CyberScoop reported that investigators and researchers had tracked Stokes’ alleged online activity for years, and that Microsoft made a criminal referral in October 2024 linking him to Scattered Spider activity, according to court records.
Why the device identifier detail matters
The GDID evidence highlights a limitation of VPN-based anonymity. A VPN can hide or alter the network endpoint visible to many services, but it does not necessarily change identifiers tied to the device, operating system installation, browser state, or account activity.
In this case, prosecutors allege that the Windows installation identifier stayed consistent while the operator moved through VPN infrastructure and different geographies. That gave investigators a durable thread to compare against other records.
The Hacker News coverage noted that the complaint shows an operator who hid attack traffic behind VPNs and tunneling tools, but left behind endpoint-linked evidence that could be correlated across services.
| Layer | What it can reveal | Why it mattered here |
|---|---|---|
| Network layer | VPN or proxy IP address | The ngrok signup came from a Tzulo-hosted proxy IP |
| Device layer | Persistent Windows GDID | Microsoft records tied the same device to the ngrok signup |
| Account layer | Google, Apple, Snapchat, Facebook, Ubisoft activity | Investigators compared overlapping IP activity |
| Travel and social layer | Location records and public or private posts | Those records allegedly matched Tallinn, New York, and Thailand activity |
What companies should learn from the case
The intrusion described in the complaint did not start with a zero-day exploit. It started with phone calls to the help desk and credential reset requests.
Organizations should tighten account recovery procedures, especially for administrators and users with access to privileged systems. Help desk staff should not reset passwords or MFA devices for sensitive accounts based only on a caller’s claims.

The CISA advisory recommends stronger controls against Scattered Spider tactics, including phishing-resistant MFA, strict verification for help desk requests, monitoring for suspicious account changes, and tighter controls around remote access tools.
- Require step-up verification for MFA resets and password recovery.
- Use phishing-resistant MFA for administrators and high-risk users.
- Separate help desk permissions from privileged account recovery.
- Alert on sudden MFA device changes for IT and finance accounts.
- Monitor new ngrok, Teleport, AnyDesk, or similar tunnel and remote access activity.
- Review cloud storage transfers after suspicious identity events.
Endpoint signals can outlast aliases
The Stokes complaint shows how investigators can combine endpoint identifiers, cloud logs, telecom records, account metadata, travel records, and social media evidence to pierce operational security.
For defenders, the same idea applies inside enterprise networks. Identity events, device identifiers, and unusual remote access patterns should be analyzed together, not separately.
The Microsoft Octo Tempest report makes the defensive point clearly: this actor blends social engineering, identity compromise, and hands-on intrusion activity. Stopping that kind of threat requires stronger human verification and better correlation across identity, endpoint, and cloud telemetry.
What happens next
Stokes remains in U.S. custody while the federal case proceeds. Prosecutors have charged him with conspiracy, computer intrusion, wire fraud, and related offenses, according to the complaint.
The Record’s coverage notes that the Company F breach is the centerpiece of the public complaint, although the filing also references other alleged intrusions.
CyberScoop also reported that Stokes allegedly possessed two two-terabyte hard drives when Finnish authorities arrested him. The case will now test how prosecutors present the digital trail that allegedly linked a Windows installation, online accounts, and an extortion operation.
FAQ
A Microsoft Global Device Identifier, or GDID, is described in the court complaint as a persistent device-level identifier tied to an installation of Windows. It can remain consistent across Windows updates, while reinstalling Windows creates a new GDID.
No. The complaint says investigators used the GDID as one part of a broader evidence chain, including ngrok records, Microsoft records, IP activity, personal accounts, travel records, and social media evidence.
Peter Stokes is a 19-year-old dual U.S. and Estonian citizen charged in the Northern District of Illinois with conspiracy, computer intrusion, and fraud offenses linked to alleged Scattered Spider activity. The charges are allegations, and he is presumed innocent unless proven guilty.
According to the complaint, the intrusion began with Google Voice phishing calls to the company’s IT help desk. The attackers pretended to be employees and persuaded staff to reset passwords and MFA devices.
Companies should enforce strict help desk verification, use phishing-resistant MFA for privileged accounts, monitor MFA resets and new remote access tools, restrict tunneling utilities, and correlate identity, endpoint, and cloud activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages