
Microsoft identified an alleged Scattered Spider member through Windows telemetry despite the suspect using a VPN to mask his IP address.
The details appear in the superseding criminal complaint against Peter Stokes, whose extradition to the United States we covered last week. A closer review of the filing shows that investigators relied on Microsoft's Windows telemetry, provider records, seized infrastructure, and social media evidence to link the activity to the alleged hacker.
Investigators relied on a combination of Microsoft criminal referrals, provider records, VPN logs, social media evidence, and infrastructure seized during the investigation to attribute activity to the 19-year-old dual US-citizen. While VPNs successfully obscured the underlying internet connection, Microsoft linked activity to a persistent Windows device identifier that remained constant across multiple online services.
The unsealed filing centers on a May 2025 intrusion at a luxury jewelry retailer that investigators say resulted in approximately 77 GB of stolen data and an $8 million ransom demand. During the attack, the threat actors allegedly created an ngrok account used to establish persistent tunnels into the victim's network. Records from ngrok showed the account was created from IP address 68.235.46.168, which belonged to a VPN proxy server hosted by Tzulo in Mount Prospect, Illinois.
Ordinarily, a VPN endpoint alone would reveal little about the operator behind the connection. However, investigators say Microsoft had visibility beyond the IP address.
According to the complaint, Microsoft recorded that the device used to create the ngrok account was associated with a Global Device Identifier (GDID), a persistent identifier tied to a Windows installation. Microsoft describes the GDID as a globally unique identifier assigned to a Windows installation that remains consistent across operating system updates and is only regenerated after Windows is reinstalled.
Microsoft's records allegedly showed that the same Windows device visited ngrok's signup page at the exact time the malicious account was created. More importantly, investigators claim that the identical GDID had been observed accessing Microsoft services from the same VPN infrastructure used during the attack, including the .168 VPN server used to register the ngrok account. Roughly three hours later, the same device allegedly visited the victim company's website through that VPN connection.
The FBI then correlated the GDID with activity across Stokes' Apple, Snapchat, and Facebook accounts.
According to prosecutors, the Windows device repeatedly shared identical IP addresses with accounts that investigators had already attributed to Stokes, including residential connections in Tallinn, Estonia; public IP addresses observed while he was traveling in New York; and hotel and mobile connections used during trips to Thailand. The complaint also references travel records and Snapchat posts that allegedly placed Stokes in those same locations at the relevant times, allowing investigators to connect the Windows device to its user despite the use of VPN infrastructure during the alleged intrusion.
The complaint further alleges that Microsoft telemetry was only one component of a much broader body of evidence. Investigators also cite server logs recovered from infrastructure allegedly used by Scattered Spider, records from ngrok, Google, Teleport.sh, and cloud providers, as well as seized social media accounts, all of which they say independently support the attribution.
The filing serves as a reminder that VPNs primarily conceal network paths rather than device identity. Modern operating systems and online services generate numerous persistent identifiers and behavioral signals that, when combined with provider records and legal process, can allow investigators to correlate activity across seemingly unrelated accounts and sessions.







Leave a Reply