Tracking Peter Stokes and the Com

_tk_1 pts0 comments

Tracking Peter Stokes and The Com: Allison Nixon and Her Work Unmasking Cybercriminals

Sign in<br>Subscribe

Any time a member of The Com gets arrested, there’s a good chance Allison Nixon played a role in it. Nixon is chief research officer at the cyber investigations firm Unit221B, named after the apartment number of famed literary detective Sherlock Holmes. She has built her career tracking members of The Com, the loosely affiliated collection of hacking groups that have wreaked havoc on corporate America the last three years.<br>Unmasking cybercriminals who think they’re anonymous has become Nixon’s stock in trade, as has her talent for identifying nascent cybercrime trends before they become major problems and for zeroing in on budding cybercriminals in the early days of their careers before they get on the radar of law enforcement. Her work tracking them is often what puts them on that radar.<br>In April, authorities arrested Peter Stokes in Finland, a 19-year-old member of The Com-affiliated group Scattered Spider, which is behind ransomware and data theft-extortion schemes against companies like MGM Resorts, Visa, Twilio, and the luxury fashion brands Dior, Louis Vuitton and Tiffany and Company, among others. Stokes, who has dual US-Estonian citizenship and used the alias “Bouquet” online was arrested at a Finnish airport before boarding a flight to Japan, and this month US authorities announced his successful extradition to the US.<br>The indictment against him mentions how Microsoft used GDID (Global Device Identifier) - a unique ID that Microsoft assigns to every device on which Windows is installed — to track his online activity in 2025, including log-ins to social media and messaging accounts like Snapchat and Facebook and access to victim networks. According to the evidence, Stokes was part of a May 2025 breach of a luxury jewelry brand — not identified by name in the indictment but believed to be Tiffany and Co — in which the cybercriminals demanded an $8 million ransom. He allegedly used a VPN proxy to obscure his IP address when he tunneled into the company’s servers, but due to the GDID associated with his computer, Microsoft was able to connect the activity to his machine.<br>There has been a lot of speculation that the GDID was the way Bouquet/Stokes was unmasked. But Nixon says investigators uncovered Bouquet’s real identity years earlier, after he posted a threat against her in a Telegraph channel in September 2022 when he was just 15 years old. “Shoutout to Allison Nixon, hope you get put in a spliff bitch,” Bouquet wrote at the time. She reported the post and Bouquet to her community of security researchers and law enforcement contacts, leading someone to uncover his real identity within months. The Microsoft GDID tracking was simply part of a years-long investigation in the aftermath of this threat to produce a trail of evidence connecting Stokes’ computer to various crimes over the last four years. Some of that evidence went into the indictment that was produced after he became an adult and could be charged with felonies.<br>Nixon says often the cybercriminals she tracks were never on her radar before they posted a death threat about her. They only became a target of her tracking after threatening her, eventually leading to their arrest.<br>In some respects, despite using VPNs and other cloaking measures, Stokes and his accomplices didn’t make it hard for investigators to identify them or tie them to their crimes. In March 2023, Stokes and an accomplice allegedly breached the backend infrastructure of an online communication platform — a platform on which they both already had user accounts. Stokes used his account under the moniker "Bouquet", according to the indictment. The indictment doesn't identify the platform, but it's possibly Snapchat, since the indictment references Stokes' use of a Snapchat account frequently. The two accomplices "discussed and plotted" their breach of the platform in messages exchanged between their user accounts on the platform, and because Stokes’ accomplice used the same IP address to breach the company that he used to log in to his user account on the company's platform, the company was able to tie that user account to their backend breach.<br>In addition to this, two months before the March breach, Stokes had published to his "Bouquet" user account on the breached platform a photo of what appeared to be his school homework. In the top righthand corner of the homework was the name “Peter William Stokes.”<br>Stokes was also fond of posting images of himself that seemed to reveal some of the illicit spoils from his crimes — for example, a 2024 image shows him flashing a fan of what appears to be $100 bills from a room at the 4-star Empire Hotel in New York (the Upper West Side hotel made famous in Gossip Girl when rich kid Chuck Bass purchases it and uses it as his home base for business dealings); another image shows him wearing what appears to be a diamond-encrusted...

stokes nixon bouquet platform tracking indictment

Related Articles