How One Hidden Windows Identifier Unmasked an Alleged Scattered Spider Hacker + Video

Listen to this Post

Featured ImageIntroduction: A Tiny Digital Fingerprint That Changed an International Cybercrime Investigation

Cybercriminals often rely on encrypted communications, VPN services, anonymous accounts, and stolen identities to avoid detection. For years, these tactics have made ransomware investigations extremely difficult, allowing sophisticated threat actors to operate across multiple countries with little fear of immediate identification.

However, modern digital forensics is evolving just as quickly as cybercrime itself. Law enforcement agencies are increasingly combining device telemetry, cloud service records, account activity, travel history, and social media evidence to build highly detailed investigations. A recent U.S. criminal case demonstrates exactly how powerful this approach has become.

According to federal investigators, a single Microsoft Windows Global Device Identifier (GDID) played a critical role in identifying 19-year-old Peter Stokes, an alleged member of the notorious Scattered Spider ransomware group. What initially appeared to be an anonymous hacking operation ultimately became one of the strongest examples of modern cyber attribution through digital evidence.

The Alleged Hacker Behind Multiple Online Identities

Authorities allege that Peter Stokes, a dual U.S.-Estonian citizen, operated under several online aliases including “Bouquet,” “Spencer,” and “Jordan.”

Rather than relying solely on traditional investigative methods, the FBI reportedly connected these identities through a persistent Windows device identifier known as a Global Device Identifier (GDID).

Unlike IP addresses, which can change frequently, or browser fingerprints that may be altered, a GDID remains tied to a Windows installation across numerous Microsoft services. Although reinstalling Windows generates a new identifier, normal operating system updates do not alter it, making it a valuable forensic artifact.

This small but persistent identifier eventually became one of the most significant pieces of evidence in the investigation.

How the FBI Connected the Digital Evidence

According to court filings, Microsoft records revealed that a specific GDID was used to register an ngrok account on May 12, 2025, at precisely the same time investigators believe attackers were preparing to compromise a luxury jewelry retailer identified only as Company F.

The ngrok service was allegedly used to establish a secure tunnel into the victim’s network, allowing attackers to remotely access internal systems without immediately raising suspicion.

Investigators later discovered that the very same Windows device accessed Company F’s website through a VPN proxy hosted by Tzulo in Mount Prospect, Illinois.

While this alone was not enough to identify a suspect, it provided investigators with an important digital trail.

Cross-Referencing Multiple Online Platforms

The investigation expanded far beyond Microsoft records.

Using search warrants, investigators reportedly obtained connection logs from several personal online services associated with Peter Stokes, including Snapchat, Facebook, and Apple.

When analysts compared these logs against IP addresses associated with the GDID, they observed repeated overlaps.

Connections originating from Tallinn, Estonia, New York City, and Thailand appeared within short timeframes across both the alleged hacker’s device and his personal accounts.

Investigators strengthened these findings even further by examining U.S. State Department travel records and Snapchat photos reportedly uploaded from hotels visited during those same periods.

Rather than relying on a single piece of evidence, authorities built a timeline composed of numerous independent data points that consistently pointed toward the same individual.

The Company F Ransomware Attack

According to prosecutors, the attack against Company F began with a familiar but highly effective social engineering technique.

Attackers allegedly called the

Through carefully crafted phishing conversations, they convinced support personnel to reset multi-factor authentication credentials for three user accounts.

Two of those compromised accounts reportedly held elevated administrative privileges.

Once inside the network, attackers allegedly deployed ngrok along with additional tools including Teleport.sh and Amazon S3 to quietly transfer stolen information outside the victim’s environment.

Investigators estimate that approximately 77 gigabytes of sensitive corporate data were exfiltrated.

The stolen information reportedly included:

Active Directory records

Internal authentication data

Employee OneDrive files

Corporate documents

Sensitive organizational information

The attackers allegedly demanded $8 million in ransom.

The company refused to pay.

As a result, prosecutors estimate the organization ultimately suffered roughly $2 million in damages.

Scattered

The criminal complaint connects Stokes to the hacking collective widely known as Scattered Spider.

Cybersecurity researchers also track this group under several additional names, including:

Octo Tempest

UNC3944

0ktapus

The organization has become one of the most dangerous financially motivated cybercrime groups operating today.

Authorities allege that Scattered Spider has been responsible for more than 100 network intrusions, generating over $100 million in ransomware payments while targeting organizations across the United States and the United Kingdom.

Victims have reportedly included companies from industries such as:

Insurance

Telecommunications

Technology

Retail

Critical infrastructure

Unlike many ransomware operations that depend primarily on software vulnerabilities, Scattered Spider has gained notoriety for exploiting human behavior through sophisticated phishing, social engineering, SIM swapping, MFA bypass techniques, and help desk impersonation.

Additional Digital Evidence Strengthened the Case

Investigators reportedly recovered additional evidence from a seized virtual private server referred to as “Subject Server 1.”

According to prosecutors, the server contained:

Data stolen from more than a dozen victim organizations

A custom Telegram search bot

Virtual Android devices

Okta Authenticator applications

Azure Authenticator applications

Infrastructure allegedly used to bypass multi-factor authentication protections

The recovered infrastructure suggests an organized operation rather than isolated cyber incidents.

Arrest and Extradition

Authorities arrested Peter Stokes in Finland on April 10, 2026, while he was reportedly attempting to board a flight to Japan.

The arrest followed an Interpol notice connected to a U.S. arrest warrant issued several months earlier.

He now faces extradition to the United States, where prosecutors have charged him with multiple offenses, including:

Conspiracy to commit computer fraud

Wire fraud

Extortion

Violations of the Computer Fraud and Abuse Act

If convicted, the charges could carry significant prison sentences.

Why the GDID Matters for Future Cybercrime Investigations

Historically, investigators relied heavily on IP addresses, malware signatures, financial transactions, and communication records.

This case demonstrates a significant evolution in cyber investigations.

Device-level telemetry—particularly persistent identifiers like

Rather than viewing each digital artifact independently, investigators increasingly assemble comprehensive behavioral profiles capable of linking anonymous online activity to real-world identities.

As ransomware groups become more technically sophisticated, law enforcement is responding with increasingly advanced forensic methodologies that leverage multiple independent sources of evidence simultaneously.

What Undercode Say:

The Peter Stokes investigation represents a major milestone in digital forensics and cybercrime attribution.

For years, ransomware operators believed that VPNs, encrypted messaging platforms, disposable accounts, and anonymous infrastructure were sufficient to remain invisible. This investigation demonstrates that anonymity today is rarely achieved through a single protective technology.

The most interesting technical aspect of this case is not the ransomware itself—it is the forensic methodology.

A Global Device Identifier was never designed as a law enforcement tracking tool. Instead, it exists primarily to support Microsoft’s ecosystem and fraud prevention capabilities. Yet investigators successfully transformed this seemingly ordinary identifier into the cornerstone of a multinational criminal investigation.

Equally important is the correlation strategy employed by investigators.

No single piece of evidence appears overwhelming on its own.

Instead, prosecutors combined Microsoft telemetry, ngrok account creation records, VPN connections, social media activity, Apple account logs, Facebook sessions, Snapchat uploads, travel records, hotel locations, and seized server infrastructure into one consistent timeline.

This layered investigative model dramatically reduces the possibility of mistaken attribution.

From a cybersecurity perspective, the attack itself also reinforces a critical reality.

The attackers did not begin with sophisticated malware.

They started with phone calls.

Social engineering remains one of the most successful attack vectors because it exploits human trust instead of software vulnerabilities.

Organizations continue investing millions into endpoint protection, firewalls, and AI-powered detection systems while many help desks still lack sufficient protection against identity-based attacks.

The use of MFA reset manipulation illustrates that authentication technologies are only as secure as the administrative processes supporting them.

Even strong authentication becomes ineffective if attackers convince support personnel to reset credentials.

Another important takeaway is the increasing importance of cloud service providers during investigations.

Microsoft, Apple, Meta, VPN providers, and infrastructure services collectively possess enormous quantities of metadata.

When lawful requests combine records from multiple providers, investigators can reconstruct surprisingly accurate timelines.

This trend is likely to influence future ransomware investigations worldwide.

Threat actors may respond by adopting even more compartmentalized operational security practices.

Meanwhile, technology companies may continue improving device telemetry designed to identify suspicious behavior before attacks become successful.

Ultimately, this case sends a powerful message throughout the cybercriminal ecosystem:

Digital anonymity is becoming increasingly fragile.

Every online action leaves traces.

Individually those traces may seem insignificant.

Collectively they can expose an entire criminal operation.

Deep Analysis

Command 1: Analyze the Initial Access

The attackers successfully exploited human psychology rather than software flaws, highlighting that social engineering continues to outperform many purely technical attack methods.

Command 2: Examine Identity Infrastructure

Persistent device identifiers combined with cloud account telemetry created a robust attribution chain that traditional IP analysis alone could not achieve.

Command 3: Review Attack Progression

Credential manipulation led to privileged access, which enabled lateral movement, secure tunneling, data exfiltration, and ultimately ransomware extortion.

Command 4: Evaluate Defensive Weaknesses

Help desk verification procedures represented the weakest security layer, allowing attackers to bypass otherwise strong authentication controls.

Command 5: Assess Future Impact

This investigation will likely encourage security vendors to expand endpoint telemetry while motivating threat actors to invest more heavily in operational security and device isolation.

✅ Verified: Court documents indicate investigators used

✅ Verified: The reported attack chain—including phishing calls, MFA resets, ngrok tunneling, and large-scale data theft—is consistent with known tactics previously associated with Scattered Spider.

✅ Verified: The reported arrest in Finland and pending extradition align with publicly disclosed law enforcement actions, although guilt will ultimately be determined through the judicial process.

Prediction

(+1) Digital device identifiers and cross-platform telemetry will become standard evidence in major cybercrime investigations, significantly improving attribution accuracy.

(-1) Cybercriminal organizations will likely respond by adopting stricter operational security practices, disposable operating systems, shorter-lived infrastructure, and more advanced identity-obfuscation techniques to reduce future exposure.

(+1) Organizations are expected to increase investment in help desk verification procedures, identity protection, behavioral analytics, and phishing-resistant authentication to counter attacks that rely primarily on social engineering rather than software vulnerabilities.

▶️ Related Video (86% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube