iToverDose/Hardware· 5 JULY 2026 · 14:05

How Microsoft’s Windows tracking helped FBI catch Scattered Spider hacker

A 19-year-old dual U.S.-Estonian citizen was arrested in Helsinki after Microsoft’s Global Device Identifier tracked his Windows device, revealing ties to a $100M ransomware group. The arrest highlights the controversial role of OS telemetry in cybercrime investigations.

Tom's Hardware3 min read0 Comments

The arrest of 19-year-old Peter Stokes in Helsinki on June 28, 2026, marked a significant breakthrough in the FBI’s investigation into the notorious cybercrime syndicate Scattered Spider. Authorities allege Stokes, a dual U.S.-Estonian citizen, was attempting to flee to Japan when he was detained at Helsinki Airport. His apprehension followed a coordinated effort involving the U.S. Department of Justice, the FBI, and Finland’s National Bureau of Investigation, with critical assistance from Microsoft’s Global Device Identifier (GDID) system.

The Scattered Spider threat and Stokes’ alleged role

Scattered Spider, also known as Octo Tempest, UNC3944, and Oktapus, has emerged as one of the most prolific cybercrime groups globally. Prosecutors describe the group as responsible for extorting over $100 million in ransom payments from organizations across multiple industries. Their tactics rely heavily on social engineering, including impersonating employees to manipulate IT helpdesks into resetting credentials.

According to court documents, Stokes was directly implicated in a May 2025 attack on a luxury jewelry retailer based in the United States. The attackers reportedly contacted the company’s IT support line via Google Voice, posing as internal employees. Through deceptive tactics, they convinced the helpdesk to reset credentials for three accounts—two of which held administrative privileges. Once inside the network, the group exfiltrated sensitive data and demanded an $8 million cryptocurrency ransom. Although the retailer refused to pay, the breach still resulted in an estimated $2 million in operational losses.

Microsoft’s GDID: A digital fingerprint in the investigation

Microsoft’s role in Stokes’ arrest underscores the growing reliance on device-level telemetry in cybercrime investigations. The Global Device Identifier (GDID) is a unique, persistent identifier assigned to every Windows installation. Unlike traditional tracking methods, GDID remains tied to the hardware configuration, making it resistant to common evasion techniques such as hardware swaps or virtual machine migrations.

Investigators leveraged GDID data to establish a direct link between Stokes’ physical device and the online activities associated with the Scattered Spider attacks. According to court filings, the data included:

  • - Timestamps of Windows sessions
  • - IP addresses linked to the device
  • - Installed applications and gaming history
  • - Usage of tools like Ngrok and Azure services
  • - Geolocation records derived from network connections

This granular telemetry provided prosecutors with a timeline of Stokes’ digital footprint, effectively mapping his movements and interactions across multiple platforms. The data was reportedly so comprehensive that it allowed investigators to "connect the dots" before building the full case against him. Stokes, who was carrying two hard drives containing incriminating evidence at the time of his arrest, further complicated his defense.

Privacy concerns and the future of OS telemetry

The use of GDID in criminal investigations has reignited debates over the balance between cybersecurity and user privacy. While Microsoft’s telemetry played a pivotal role in apprehending a high-profile cybercriminal, critics argue that such invasive tracking mechanisms could be exploited if accessed by malicious actors. Unlike traditional data collection methods, GDID cannot be easily disabled or removed by end users, raising concerns about its potential misuse.

This incident also highlights the broader trend of law enforcement agencies increasingly relying on proprietary telemetry from technology providers. As cybercrime evolves, so too does the arsenal of tools available to investigators—though at what cost to individual privacy remains an open question. For now, Stokes remains in U.S. custody following his extradition. His first court appearance in Chicago on June 30, 2026, set the stage for a high-stakes trial that could further define the boundaries of digital evidence in cybercrime cases.

AI summary

Microsoft’un GDID sistemiyle takip edilen Scattered Spider üyesi 19 yaşındaki Peter Stokes, Finlandiya’da yakalandı. Siber suç örgütüyle bağlantılı zanlıya ABD’de conspiracy ve cyber intrusion suçlamaları yöneltiliyor.

Comments

00
LEAVE A COMMENT
ID #RBH8Y9

0 / 1200 CHARACTERS

Human check

5 + 9 = ?

Will appear after editor review

Moderation · Spam protection active

No approved comments yet. Be first.