Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

_____k1 pts0 comments

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker - iTnews

Latest News

UN chief warns AI outpacing oversight

FMCG giants give consumer products an AI makeover

Attorney-General's Dept backs Copilot Chat, Google NotebookLM

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

Indara appoints its first CTO

Home

News

Technology

Security

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

By

Juha Saarinen

Jul 6 2026 7:15AM

Persistent device identifier.

Peter Stokes, the 19-year-old American-Estonian extradited from Finland to face Scattered Spider hacking charges in the United States, is allegedly tied to a US$8 million ($11.5 million) ransom demand largely through a Microsoft global device identifier (GDID), a court affidavit suggests.

The US Federal Bureau of Investigation (FBI) alleged in its complaint that "criminal referrals from Microsoft" were among the evidence presented for Stokes' alleged offending.

"Cyber security researchers at Microsoft, through the course of their job, have access to data,<br>such as computer machine IDs, IP addresses, and malware samples associated with<br>sophisticated cybergroups," the FBI said in its affidavit.

Stokes allegedly hid his device behind a virtual private network (VPN) server which he then used to open an account on the ngrok secure tunnelling service.

But doing so did not mask the unique GDID of the Windows installation he used.

Microsoft identified that GDID for investigators after a court order, based on ngrok's time-stamped access records.

Such GDIDs are typically used for diagnostic and crash reporting, feature-usage analysis, and detecting abuse patterns such as one machine repeatedly claiming free trials or licences.

Security teams also use this kind of device-level correlation defensively, since a login from an unfamiliar device paired with a known identifier, or the reverse, a familiar device suddenly signing into an unfamiliar account, is a useful signal for spotting compromised credentials.

Investigators then examined the GDID's wider IP address history, finding other addresses in Tallinn, New York and Thailand that matched login times on Stokes's Snapchat, Apple and Facebook accounts.

While Microsoft's GDID does the heaviest lifting in the FBI's case against Stokes, social network Snapchat's account access logs were also important.

Stokes had posted pictures on Snapchat of himself while travelling overseas and staying at luxury hotels, displaying a conspicious amount of weath.

Nearly every IP address match in the FBI's affidavit allegedly paired the GDID with a Snapchat login, within minutes of each other.

Apple's records also corroborated two such matches, one in New York and another in Thailand, while Facebook contributed a further overlap in Tallinn dating back to June 2024.

Stokes faces six counts of offending, and was arrested on April 10 by Finnish police while attempting to board a flight to Japan.

Four of the charges relate to the alleged US$8 million ransom demand against a luxury goods retailer.

Two further, broader charges allege conspiracy tied to his time in Scattered Spider, drawing on chat logs, a 2024 Microsoft referral and records recovered from a separate seized server.

His case is part of the FBI's Operation Riptide that aims to counter the loosely organised Scattered Spider hacking group linked to over 100 attacks involving large-scale data breaches and more than US$100 million in extortion.

Add iTnews as your trusted source

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © iTnews.com.au . All rights reserved.

Tags:

gdidglobal device identifiermicrosoftscattered spidersecuritysnapchat

Related Articles

Google disrupts NetNut proxy network

OAIC ordered to turn over Amex privacy determination in full

Microsoft improves AI bot defences in Teams

Bendigo Bank aims to have Australia's "first agentic SOC"

Join our WhatsApp Channel

Partner Content

Learn more →">Promoted Content

Digital sovereignty is no longer optional - Agentic AI has made it fundamental

Learn more →">Promoted Content

Unmanaged SaaS is now a compounding liability. Can your governance keep up?

Scalable AI solutions: secure delivery

Learn more →">Partner Content

CommBank creates opportunities for technologists to upskill with frontier AI companies

Sponsored Whitepapers

Innovate anywhere with HPE and Azure Local

Cloud Covered Report: New Zealand

How healthcare organisations can get more value from cloud

The governed agent: A new framework for responsible AI at scale

Securing Machinery of Government changes

Events

iTnews State of Data & AI Breakfast

Forrester's AI Forum Sydney

The 2026 iAwards

Integrate 2026

Security Exhibition & Conference

Most Read Articles

Bendigo Bank aims to have Australia's "first agentic SOC"

ASD to retire Essential Eight cyber security framework within next two years

Services Australia...

microsoft device alleged scattered spider stokes

Related Articles