Tech News

How a Windows GDID Helped the FBI Track Down a Scattered Spider Member

A simple technical identifier present on every Windows machine was enough to put the FBI on the trail of a suspected member of the Scattered Spider hacking group. Its name: GDID, or Global Device Identifier. This marker associated with each Windows installation made it possible to link a machine to a cyberattack dating back to May 2025 against a U.S. luxury jeweler, and then trace it back to Peter Stokes, 19, who is now charged in the United States.

A Windows identifier at the heart of the manhunt

According to the federal complaint filed in the Northern District of Illinois and made public in late June 2026, Microsoft provided the FBI with records related to a Global Device Identifier (GDID). Microsoft describes this identifier as a persistent identifier, tied to a specific Windows installation, that survives system updates and only changes if the machine is fully reinstalled. In other words, it uniquely identifies a Windows machine.

In the court documents, the device in question had a unique GDID: g:6755467234350028. As proof that Microsoft knows a great deal about device activity, investigators were able to determine that this machine had visited the ngrok sign-up page on May 12, 2025 at 7:21 p.m. UTC. So what does that mean? It turns out that this was the exact minute when an account was used to maintain access during the intrusion, and then it connected to the jeweler’s site through the same proxy about three hours later.

The cross-checking does not stop there. The same device reappeared on the same IP addresses, at the same times, on Snapchat, Apple, and Facebook accounts prosecutors attribute to Peter Stokes. Investigators place him in Tallinn, Estonia in June 2024, in New York in November 2024, and then in Thailand in February 2025, trips corroborated by U.S. State Department travel records. The defendant also appears to have made repeated digital hygiene mistakes, flaunting stacks of cash, watches, and diamond chains on Snapchat, one of which displayed the message "HACK THE PLANET".

On paper, GDID is not a hidden spying feature in Windows 11. It is neither a mechanism for Microsoft to continuously track every user; it first serves a functional purpose within Windows. But in this case, it is true that it helped investigators trace the hacker.

However, Microsoft does not document this identifier much. GDID appears to be a persistent identifier assigned to each Windows installation, on both physical and virtual machines, and used as an anchor point across some of the vendor’s services. It could be a marker used to identify a machine and intended to support Windows connected features and telemetry. According to a reverse-engineering analysis published on GitHub, it would be based on a 64-bit identifier assigned by Microsoft’s servers when the device is enrolled, rather than on hardware fingerprinting. These technical details remain unconfirmed, however, because they do not come from Microsoft.

An attack that started with the help desk

The intrusion itself did not exploit any software vulnerability. As is often the case with cyberattacks, it targeted the weakest link: people. According to the complaint relayed by The Hacker News, here is how the attack unfolded between May 12 and May 15, 2025:

  • Calls to the jeweler’s IT support desk, made from Google Voice numbers, with the attackers posing as employees locked out of their accounts.
  • Password and mobile device resets, obtained from the support teams, for the accounts associated with multi-factor authentication (MFA).
  • Within hours, takeover of three accounts, including two with administrative privileges.
  • Deployment of ngrok and Teleport tunneling tools, followed by exfiltration of at least 77 GB of data to Amazon cloud storage.

The Scattered Spider hackers then allegedly attempted to deploy ransomware, but the intrusion was detected in time. Even so, an extortion demand was sent, followed by a ransom demand of around $8 million in cryptocurrency. The company refused to pay and now estimates its losses at at least $2 million (including downtime, investigation, and remediation).

This attack scenario is a good example of why it is necessary to secure the help desk against social engineering attacks, for example by enforcing strict identity verification before any reset.

Scattered Spider: Peter Strokes arrested

As for the arrested hacker, Peter Stokes, he is being prosecuted for conspiracy, computer intrusion, and fraud. He was arrested in Finland in April 2026 on the basis of an Interpol red notice, then extradited to the United States, where he appeared for the first time on June 30 before a Chicago court. He is presumed innocent pending trial. According to the U.S. Department of Justice, Scattered Spider is believed to be involved in more than 100 intrusions, with more than $100 million in ransoms paid. The attack against MGM Resorts (2023) is probably one of their biggest hits.

It is not out of the question that law enforcement is on the trail of other members of the Scattered Spider group. Indeed, when Finnish police intercepted Peter Stokes at Helsinki Airport as he was trying to board a flight to Japan, they seized two 2 TB hard drives. These storage devices could contain information about tools, infrastructure, or contacts leading to the next member.... Stay tuned.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.