- 970
- 261
A curious detail has been uncovered in the case file of 19-year-old Peter Stokes, whom US authorities link to the hacker group Scattered Spider. Investigators identified the suspect using his Microsoft Windows Global Device Identifier (GDID)—a persistent identifier for a Windows installation—which helped link the device to a cyberattack, a VPN service, and Stokes' personal accounts.
The attack concerned an unnamed jewelry and luxury goods retailer that occurred in May 2025. According to investigators, Scattered Spider members called the company's IT support team using Google Voice and posed as employees who had lost access to their accounts. The hackers convinced the operators to reset their passwords and unlink the mobile devices used for two-factor authentication.
As a result, in just a few hours, the attackers took over three accounts, including those of two IT administrators. They then installed ngrok and Teleport, uploaded at least 77 GB of data to the Amazon cloud, and attempted to deploy ransomware on the company's network.
The organization's specialists managed to block the attack before encryption began and blocked the hackers' access. However, the extortionists still demanded $8 million in cryptocurrency from the company, threatening to publish the stolen data. The victim organization refused to pay the ransom, but the downtime, infrastructure restoration, and cleanup cost it more than $2 million.
According to court documents, an ngrok account created during the attack helped law enforcement track down Stokes. According to Microsoft, on May 12, 2025, at 7:21 PM, the ngrok registration page was opened on a device with the GDID g:6755467234350028, and a new account was created at the same time. Approximately three hours later, a computer with the same GDID accessed the victim company's website through the Tzulo VPN service.
Microsoft documentation describes the Global Device Identifier as a persistent identifier for a specific Windows installation. This ID persists across operating system updates and changes when the system is reinstalled. Various Windows services use the identifier, and the associated data is stored in Microsoft's infrastructure.
Investigators compared the GDID data with IP addresses associated with activity on Snapchat, Apple, and Facebook accounts believed to belong to Stokes. Matches were recorded in Tallinn, where the suspect lived, as well as in New York and Thailand (these movements were confirmed by Stokes' travel records obtained from the US State Department).
As we previously reportedIn the spring of 2026, Stokes was detained at Helsinki Airport while preparing to fly to Japan. He was later extradited to the United States, where he faces charges of fraud, conspiracy, and computer hacking related to the extortion of millions of dollars from major companies. Investigators will now have to prove Stokes' guilt in court.
As a reminder, the hacker group Scattered Spider (aka 0ktapus, Octo Tempest, Scatter Swine, UNC3944, and Muddled Libra) emerged in 2022. This is not a typical hacker group in the traditional sense, but an English-speaking community, primarily consisting of teenagers and young adults from the United States, the United Kingdom, and several European countries.
Researchers from Group-IB note that isolated arrests are unlikely to stop the group's attacks. The contents of the drives seized from Stokes could prove far more important if they contain contacts, data related to the Scattered Spider infrastructure, or tools of other group members.
The attack concerned an unnamed jewelry and luxury goods retailer that occurred in May 2025. According to investigators, Scattered Spider members called the company's IT support team using Google Voice and posed as employees who had lost access to their accounts. The hackers convinced the operators to reset their passwords and unlink the mobile devices used for two-factor authentication.
As a result, in just a few hours, the attackers took over three accounts, including those of two IT administrators. They then installed ngrok and Teleport, uploaded at least 77 GB of data to the Amazon cloud, and attempted to deploy ransomware on the company's network.
The organization's specialists managed to block the attack before encryption began and blocked the hackers' access. However, the extortionists still demanded $8 million in cryptocurrency from the company, threatening to publish the stolen data. The victim organization refused to pay the ransom, but the downtime, infrastructure restoration, and cleanup cost it more than $2 million.
According to court documents, an ngrok account created during the attack helped law enforcement track down Stokes. According to Microsoft, on May 12, 2025, at 7:21 PM, the ngrok registration page was opened on a device with the GDID g:6755467234350028, and a new account was created at the same time. Approximately three hours later, a computer with the same GDID accessed the victim company's website through the Tzulo VPN service.
Microsoft documentation describes the Global Device Identifier as a persistent identifier for a specific Windows installation. This ID persists across operating system updates and changes when the system is reinstalled. Various Windows services use the identifier, and the associated data is stored in Microsoft's infrastructure.
Investigators compared the GDID data with IP addresses associated with activity on Snapchat, Apple, and Facebook accounts believed to belong to Stokes. Matches were recorded in Tallinn, where the suspect lived, as well as in New York and Thailand (these movements were confirmed by Stokes' travel records obtained from the US State Department).
As we previously reportedIn the spring of 2026, Stokes was detained at Helsinki Airport while preparing to fly to Japan. He was later extradited to the United States, where he faces charges of fraud, conspiracy, and computer hacking related to the extortion of millions of dollars from major companies. Investigators will now have to prove Stokes' guilt in court.
As a reminder, the hacker group Scattered Spider (aka 0ktapus, Octo Tempest, Scatter Swine, UNC3944, and Muddled Libra) emerged in 2022. This is not a typical hacker group in the traditional sense, but an English-speaking community, primarily consisting of teenagers and young adults from the United States, the United Kingdom, and several European countries.
Researchers from Group-IB note that isolated arrests are unlikely to stop the group's attacks. The contents of the drives seized from Stokes could prove far more important if they contain contacts, data related to the Scattered Spider infrastructure, or tools of other group members.