TheVortiq
Inteligencia Artificial

Microsoft Helped FBI Arrest Scattered Spider Hacker Using Unique Windows Identifier

The GDID, a Windows 11 device identifier, was key to tracking and arresting Peter Stokes, a 19-year-old linked to the notorious extortion group.

July 5, 2026 · 3 min read

person in black long sleeve shirt using macbook pro

TL;DR: Microsoft provided the FBI with the Global Device Identifier (GDID) of Windows 11 to track Peter Stokes, a 19-year-old hacker linked to the Scattered Spider group. The case highlights the power of telemetry in investigations and reopens the privacy debate.

What happened?

On June 19, 2025, Finnish authorities arrested Peter Stokes, a 19-year-old with dual US and Estonian citizenship, at Helsinki Airport as he attempted to board a flight to Japan. Stokes is accused of belonging to Scattered Spider, one of the world's most active cyber extortion groups, responsible for over $100 million in ransom payments, according to the US Department of Justice (DOJ).

The arrest was made possible by information provided by Microsoft, which shared with the FBI the Global Device Identifier (GDID) associated with the computer used by Stokes. This unique identifier, assigned to each Windows 11 installation, allowed linking criminal activity to a specific physical device, overcoming the use of VPNs and other anonymity techniques.

The formal indictment focuses on a May 2025 attack against a US luxury jeweler. The attackers, impersonating employees via phone calls using Google Voice, convinced the IT help desk to reset credentials, gaining access to three accounts (two with administrator privileges). They stole sensitive data and demanded an $8 million ransom in cryptocurrency. Although the company did not pay, operational losses are estimated at $2 million.

Why is it important?

This case marks a milestone in collaboration between tech companies and law enforcement. The GDID, an identifier Microsoft collects for telemetry and license management, has become a powerful forensic tool. Unlike IP addresses or cookies, the GDID is persistently tied to hardware, making it difficult to evade.

Scattered Spider, also known as Octo Tempest or UNC3944, is known for its sophistication in social engineering. The group has attacked dozens of companies, including Las Vegas casinos and critical infrastructure providers. Stokes' arrest could dismantle part of the network, though the group remains active.

The case also reignites the privacy debate. Microsoft does not publicly disclose how it stores or shares GDIDs, and this collaboration with the FBI could set a precedent for other companies (Google, Apple) to follow suit. For users, it means their Windows 11 devices leave a virtually indelible digital footprint.

What consequences will it have?

In the short term, Stokes is expected to face charges of conspiracy, computer intrusion, and fraud, with possible prison sentences. The DOJ has indicated that the investigation continues and more arrests may follow.

For the cybersecurity industry, this case reinforces the importance of telemetry as an attribution tool. Companies will need to balance cooperation with authorities and user data protection. Microsoft is likely to update its privacy policies to clarify the use of GDID in legal contexts.

For criminals, the lesson is clear: using commercial operating systems like Windows leaves traces that can be exploited by law enforcement. This could drive cybercriminals to migrate to more opaque systems or employ more advanced obfuscation techniques.

What should readers know?

  • The GDID is not new: Microsoft has used it since Windows 10 for telemetry and licensing purposes. However, its use in criminal investigations is novel.
  • Not just Windows: Other operating systems and platforms also collect similar identifiers. For example, advertising identifiers on iOS and Android can be used for tracking purposes.
  • Protective measures: Although it is difficult to remove the GDID, using virtual machines, alternative operating systems (Linux), or hardware obfuscation tools can reduce exposure.
  • Legal context: Microsoft's collaboration was conducted under a court order, so it is not mass surveillance but a specific case. However, privacy advocates warn it could be expanded.

"The GDID is like a digital fingerprint: unique, persistent, and hard to change. This case demonstrates its power as an investigative tool, but also underscores the need for a public debate on its limits," commented a cybersecurity analyst consulted by TheVortiq.

Keep reading