In a significant breakthrough in cybersecurity, the use of a Microsoft device identifier has led to the identification and arrest of a suspected member of the Scattered Spider hacking group. This development was outlined in a federal complaint filed in Illinois, highlighting the role of this unique device ID in piercing the veil of anonymity surrounding the suspect.
Arrest of Alleged Hacker in Finland
The accused, 19-year-old Peter Stokes, a dual citizen of the U.S. and Estonia, was detained in Finland on April 10, 2026. Stokes, known online by aliases such as “Bouquet” and “Spencer,” was apprehended while preparing to travel to Japan, carrying two large-capacity hard drives. He faces extradition to the United States where he will confront charges related to computer fraud, wire fraud, and conspiracy under the Computer Fraud and Abuse Act.
Authorities allege Stokes is part of the Scattered Spider group, also known as Octo Tempest, UNC3944, and 0ktapus. This collective has been linked to over 100 cyber intrusions and demands exceeding $100 million in ransom payments.
Role of Microsoft’s Global Device Identifier
A key element in the investigation was Microsoft’s Global Device Identifier (GDID), which played a crucial role in tracing Stokes’s activities. This identifier is embedded in every Windows installation and is instrumental for Microsoft in performing diagnostic and telemetry tasks. Its persistence proved to be a weakness in Stokes’s operational security, leading investigators to connect him to various cyber activities.
The complaint details an attack on a luxury retailer, dubbed “Company F,” which began with a series of voice-phishing attempts targeting the company’s IT help desk. Within a short time, the attackers compromised several accounts, including high-level administrative accounts, and implemented an encrypted tunnel using ngrok to infiltrate the company’s systems securely.
Tracing Cyber Activities and Legal Implications
Investigators were able to link the GDID to an ngrok account created with a specific IP address. This connection was crucial in tracing the cyber operations back to Stokes. Further analysis matched this digital footprint with accounts belonging to Stokes on platforms like Apple and Facebook, all tied to locations he had visited, as confirmed by his travel records and social media activity.
This case underscores the limitations of anonymity technologies, which often protect the network layer but not the individual devices involved. The lack of a comprehensive policy from Microsoft regarding the sharing of GDID data with law enforcement raises questions about privacy and transparency.
As the legal proceedings continue, this case serves as a stark reminder of the complexities involved in cybersecurity and the enduring challenge of safeguarding digital privacy while pursuing justice against cybercriminals.
