Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Windows Device ID Aids FBI in Hacker Investigation

Windows Device ID Aids FBI in Hacker Investigation

Posted on July 7, 2026 By CWS

A recent court filing details how U.S. prosecutors have linked a suspected hacker from the Scattered Spider group to a cyberattack on a prestigious jewelry retailer. This connection was made possible through a persistent Windows device ID, as revealed in a newly unsealed federal complaint.

Linking the Device to the Crime

Records from Microsoft tied the device ID to an account used to maintain access during the May 2025 intrusion. Prosecutors allege that this account belongs to 19-year-old Peter Stokes, charged with conspiracy, computer intrusion, and fraud. Stokes, a dual citizen of the U.S. and Estonia known online as ‘Bouquet,’ was extradited from Finland and appeared in a Chicago court on June 30.

Details of the Security Breach

The attack took place between May 12 and 15, 2025, when perpetrators impersonated locked-out employees using Google Voice numbers. They contacted the retailer’s IT help desk, convincing staff to reset passwords and devices linked to multifactor authentication. This granted them control over three accounts, including two from IT administrators.

Subsequently, the attackers installed the tools ngrok and Teleport, transferring at least 77 gigabytes of data to Amazon cloud storage. Although an attempted ransomware deployment was thwarted by the retailer’s security team, a ransom demand for $8 million in cryptocurrency was still issued. The breach caused approximately $2 million in damages despite the company not paying the ransom.

Tracing the Attacker

Investigators traced the attack back to Stokes through the device that opened the ngrok account. Microsoft informed the FBI that the Global Device Identifier, g:6755467234350028, is a persistent identifier linked to a single Windows installation. This identifier surfaced at the time the ngrok account was created and matched activity on the retailer’s website.

Furthermore, the device was associated with Snapchat, Apple, and Facebook accounts linked to Stokes, with activity traced to various locations, including Tallinn, New York, and Thailand. Despite utilizing a VPN proxy and aliases, Stokes is alleged to have flaunted his activities and travels on social media.

Implications of the Arrest

While this arrest ties a single operator to the attack, it may not significantly impact the broader threat. Research by Group-IB indicates that Scattered Spider is not a singular group but a collective of small, independent cells. This structure resembles the Anonymous movement, suggesting that even multiple arrests may not eliminate the threat entirely.

Prosecutors allege that Scattered Spider is responsible for over 100 intrusions and more than $100 million in ransoms. However, Group-IB argues that the decentralized nature of these cells allows for continued activity despite arrests.

Continuing Investigations

Other cases linked to Scattered Spider have followed a similar pattern, with individuals being arrested one by one while the group’s methods remain intact. For example, in April 2026, Tyler Buchanan, a Scottish national, pleaded guilty to fraud and identity theft linked to the group. Similarly, other members have faced charges in connection with significant hacks like the Transport for London breach.

When Finnish authorities apprehended Stokes at Helsinki airport, they seized critical evidence, including two 2-terabyte hard drives. Such material may prove vital in dismantling the network, potentially revealing tools, infrastructure, or contacts necessary to reach additional members.

The Hacker News Tags:Cybercrime, Cybersecurity, data breach, Extradition, FBI, Hacker, luxury retailer, Peter Stokes, Scattered Spider, Windows device ID

Post navigation

Previous Post: Phishing Scam Targets Job Seekers via Fake Recruiter Emails
Next Post: Adobe ColdFusion Vulnerability Faces Active Exploitation

Related Posts

DragonForce Hackers Exploit Microsoft Teams for Stealthy Attacks DragonForce Hackers Exploit Microsoft Teams for Stealthy Attacks The Hacker News
Arch Linux AUR Packages Hijacked for Malware Deployment Arch Linux AUR Packages Hijacked for Malware Deployment The Hacker News
Apple Warns Old iPhone Users of Web Attacks Apple Warns Old iPhone Users of Web Attacks The Hacker News
Global Crypto Scam Crackdown: 276 Arrests, 1M Seized Global Crypto Scam Crackdown: 276 Arrests, $701M Seized The Hacker News
New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices The Hacker News
Cybercrime Groups Exploit Vishing for SaaS Attacks Cybercrime Groups Exploit Vishing for SaaS Attacks The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • MCP Servers Found with Thousands of Security Flaws
  • Microsoft Device Code Phishing Campaign Targets M365 Accounts
  • CISA Utilizes AI Model Mythos to Enhance Code Security
  • Tarah Wheeler’s Journey: From Social Science to Cybersecurity Leadership
  • GitHub Workflow Vulnerability Exposes Private Repo Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • MCP Servers Found with Thousands of Security Flaws
  • Microsoft Device Code Phishing Campaign Targets M365 Accounts
  • CISA Utilizes AI Model Mythos to Enhance Code Security
  • Tarah Wheeler’s Journey: From Social Science to Cybersecurity Leadership
  • GitHub Workflow Vulnerability Exposes Private Repo Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark