Windows Device Identifier Helped FBI Trace Alleged Scattered Spider Member


A persistent Windows device identifier helped federal investigators connect an alleged Scattered Spider member to a 2025 intrusion at a luxury jewelry retailer, according to a superseding criminal complaint filed in the Northern District of Illinois.

The case centers on Peter Stokes, a 19-year-old dual U.S. and Estonian citizen accused of participating in Scattered Spider activity under handles including “Bouquet” and “Jordan.” The Justice Department said Stokes was arrested in Finland in April 2026 under an Interpol Red Notice and extradited to the United States to face conspiracy, computer intrusion, and fraud charges.

The newly detailed tracking element is a Microsoft Global Device Identifier, or GDID. In the superseding complaint, an FBI agent says Microsoft records linked the GDID to the ngrok account used during the retailer breach, and then to IP activity associated with accounts prosecutors attribute to Stokes.

What the Windows GDID showed investigators

The complaint says the ngrok account used in the Company F intrusion was created on May 12, 2025, at 19:21 UTC from an IP address ending in .168. That IP address was assigned to a VPN proxy service hosted by Tzulo in Mount Prospect, Illinois.

According to Microsoft records cited in the filing, the same Windows GDID accessed the ngrok signup page at the same minute the ngrok account was created. The device later visited the victim company’s website from the same .168 proxy address.

The Hacker News reported that Microsoft described the GDID in the complaint as a persistent identifier tied to one Windows installation. The identifier can remain stable across Windows operating system updates, but a Windows reinstall creates a new GDID.

DetailWhat prosecutors allege
SuspectPeter Stokes, 19, dual U.S. and Estonian citizen
Alleged groupScattered Spider, also tracked as Octo Tempest, UNC3944, and 0ktapus
ArrestApril 10, 2026, in Finland while attempting to board a flight to Japan
Victim in key incidentCompany F, described as a luxury jewelry retailer
Intrusion windowMay 12 to May 15, 2025
Data stolenAt least 77 GB, according to the complaint
Ransom demandAbout $8 million in cryptocurrency
Payment statusNo ransom was paid, according to DOJ

How the Company F intrusion unfolded

The intrusion began with phone-based social engineering. The complaint says the attackers used two Google Voice numbers to call the company’s IT help desk while pretending to be employees.

They asked the help desk to reset authentication credentials, including passwords and mobile devices used for multifactor authentication. Within about two to three hours, the attackers allegedly compromised three user accounts, including two belonging to IT administrators.

The CISA Scattered Spider advisory describes this as a known pattern for the group: using voice communications to persuade help desk staff to reset passwords or MFA tokens for targeted accounts.

  • The attackers used Google Voice numbers to contact the help desk.
  • They impersonated employee users and requested credential resets.
  • They compromised three accounts in two to three hours.
  • Two compromised users had access to high-privilege IT administrator accounts.
  • The attackers then used those accounts to reach systems controlling virtual servers and cloud computing.

Ngrok, Teleport.sh, and Amazon S3 were used in the attack

After gaining privileged access, the attackers used ngrok to create a tunnel into the Company F data center. The complaint says the ngrok agent was installed on a company virtual server and used to establish persistent unauthorized access.

The attackers later used Teleport.sh and Amazon S3 to exfiltrate data. The filing says at least 77 GB of data was stolen, including OneDrive files, Microsoft Active Directory data, and Microsoft Operations Management Suite data.

According to The Record, the retailer did not pay the $8 million demand, but the company still suffered about $2 million in disruption, investigation, and mitigation costs.

Tool or serviceAlleged role in the intrusion
Google VoiceUsed for help desk phishing calls
ngrokUsed to create secure tunnels and maintain unauthorized access
Teleport.shUsed as part of the remote access and data exfiltration workflow
Amazon S3Used to store or transfer exfiltrated data
Microsoft recordsUsed to connect a Windows GDID to the ngrok signup activity

How the GDID led back to personal accounts

The GDID did not identify a person by itself. Investigators used it as one signal in a larger correlation chain.

The complaint says the same GDID appeared on IP addresses that also accessed accounts prosecutors say belonged to Stokes, including Snapchat, Facebook, Apple, and Ubisoft or Growtopia-related accounts. Those overlaps appeared across Tallinn, New York, and Thailand.

The court filing says those locations matched State Department travel records and Snapchat posts, including images from luxury hotels. Investigators also cited an online game login from the same Tallinn IP address used by Apple, Snapchat, Facebook, and Ubisoft account activity.

  1. Investigators identified the ngrok account used in the Company F intrusion.
  2. ngrok records tied the account creation to a VPN proxy IP address.
  3. Microsoft records tied the ngrok signup activity to a Windows GDID.
  4. The same GDID later appeared with IP addresses linked to personal accounts.
  5. Those IP locations aligned with travel records and social media posts.
  6. Investigators used the combined evidence to support probable cause.

Why Scattered Spider relies on help desk attacks

Scattered Spider has built many attacks around identity abuse rather than software exploits. The group often targets human processes such as password resets, MFA enrollment, and help desk verification.

Microsoft tracks the group as Octo Tempest. In a Microsoft Security Blog analysis, the company described Octo Tempest as a financially motivated threat actor that uses broad social engineering campaigns, credential theft, SIM swapping, and extortion.

That approach can bypass strong technical controls if identity recovery workflows remain weak. An attacker does not need to break MFA cryptography if a help desk can be convinced to reset MFA for an attacker-controlled device.

The broader Scattered Spider case

The Justice Department says Scattered Spider has been linked to more than 100 network intrusions and more than $100 million in ransom payments, with additional victim losses. The group has also been tracked as Octo Tempest, UNC3944, and 0ktapus.

The DOJ announcement says Stokes made his initial appearance in federal court in Chicago and was ordered to remain in law enforcement custody. The charges are allegations, and Stokes is presumed innocent unless proven guilty.

CyberScoop reported that investigators and researchers had tracked Stokes’ alleged online activity for years, and that Microsoft made a criminal referral in October 2024 linking him to Scattered Spider activity, according to court records.

Why the device identifier detail matters

The GDID evidence highlights a limitation of VPN-based anonymity. A VPN can hide or alter the network endpoint visible to many services, but it does not necessarily change identifiers tied to the device, operating system installation, browser state, or account activity.

In this case, prosecutors allege that the Windows installation identifier stayed consistent while the operator moved through VPN infrastructure and different geographies. That gave investigators a durable thread to compare against other records.

The Hacker News coverage noted that the complaint shows an operator who hid attack traffic behind VPNs and tunneling tools, but left behind endpoint-linked evidence that could be correlated across services.

LayerWhat it can revealWhy it mattered here
Network layerVPN or proxy IP addressThe ngrok signup came from a Tzulo-hosted proxy IP
Device layerPersistent Windows GDIDMicrosoft records tied the same device to the ngrok signup
Account layerGoogle, Apple, Snapchat, Facebook, Ubisoft activityInvestigators compared overlapping IP activity
Travel and social layerLocation records and public or private postsThose records allegedly matched Tallinn, New York, and Thailand activity

What companies should learn from the case

The intrusion described in the complaint did not start with a zero-day exploit. It started with phone calls to the help desk and credential reset requests.

Organizations should tighten account recovery procedures, especially for administrators and users with access to privileged systems. Help desk staff should not reset passwords or MFA devices for sensitive accounts based only on a caller’s claims.

Court Statement

The CISA advisory recommends stronger controls against Scattered Spider tactics, including phishing-resistant MFA, strict verification for help desk requests, monitoring for suspicious account changes, and tighter controls around remote access tools.

  • Require step-up verification for MFA resets and password recovery.
  • Use phishing-resistant MFA for administrators and high-risk users.
  • Separate help desk permissions from privileged account recovery.
  • Alert on sudden MFA device changes for IT and finance accounts.
  • Monitor new ngrok, Teleport, AnyDesk, or similar tunnel and remote access activity.
  • Review cloud storage transfers after suspicious identity events.

Endpoint signals can outlast aliases

The Stokes complaint shows how investigators can combine endpoint identifiers, cloud logs, telecom records, account metadata, travel records, and social media evidence to pierce operational security.

For defenders, the same idea applies inside enterprise networks. Identity events, device identifiers, and unusual remote access patterns should be analyzed together, not separately.

The Microsoft Octo Tempest report makes the defensive point clearly: this actor blends social engineering, identity compromise, and hands-on intrusion activity. Stopping that kind of threat requires stronger human verification and better correlation across identity, endpoint, and cloud telemetry.

What happens next

Stokes remains in U.S. custody while the federal case proceeds. Prosecutors have charged him with conspiracy, computer intrusion, wire fraud, and related offenses, according to the complaint.

The Record’s coverage notes that the Company F breach is the centerpiece of the public complaint, although the filing also references other alleged intrusions.

CyberScoop also reported that Stokes allegedly possessed two two-terabyte hard drives when Finnish authorities arrested him. The case will now test how prosecutors present the digital trail that allegedly linked a Windows installation, online accounts, and an extortion operation.

FAQ

What is a Microsoft Global Device Identifier?

A Microsoft Global Device Identifier, or GDID, is described in the court complaint as a persistent device-level identifier tied to an installation of Windows. It can remain consistent across Windows updates, while reinstalling Windows creates a new GDID.

Did the Windows device identifier alone identify Peter Stokes?

No. The complaint says investigators used the GDID as one part of a broader evidence chain, including ngrok records, Microsoft records, IP activity, personal accounts, travel records, and social media evidence.

Who is Peter Stokes?

Peter Stokes is a 19-year-old dual U.S. and Estonian citizen charged in the Northern District of Illinois with conspiracy, computer intrusion, and fraud offenses linked to alleged Scattered Spider activity. The charges are allegations, and he is presumed innocent unless proven guilty.

How did the Company F intrusion begin?

According to the complaint, the intrusion began with Google Voice phishing calls to the company’s IT help desk. The attackers pretended to be employees and persuaded staff to reset passwords and MFA devices.

How can companies defend against Scattered Spider tactics?

Companies should enforce strict help desk verification, use phishing-resistant MFA for privileged accounts, monitor MFA resets and new remote access tools, restrict tunneling utilities, and correlate identity, endpoint, and cloud activity.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages