How a Hidden Windows GDID and a Single Photo Exposed a Top Hacker

An FBI forensic analysis reveals how the Global Device Identifier (GDID) embedded in Windows, combined with cross-referenced social media photos and IP data, unraveled a sophisticated social‑engineering attack by the Scattered Spider group, exposing the limits of VPNs, MAC spoofing, and legitimate tunneling tools.

Black & White Path
Black & White Path
Black & White Path
How a Hidden Windows GDID and a Single Photo Exposed a Top Hacker

1. Airport Arrest – What Was on the Hard Drives?

On April 10, 2026, 19‑year‑old Peter Stokes, a dual US‑Estonia citizen, was stopped at Helsinki Airport while attempting to board a flight to Japan. He is identified as a core member of the Scattered Spider (also known as Octo Tempest) hacking group. A 35‑page criminal indictment released by the Northern District of Illinois details more than 100 network intrusions linked to over $1 billion in ransomware payments.

2. A Phone Call Breached a Multi‑Billion‑Dollar Retail Defense

2.1 Attack Start: Social‑Engineering Phone Call

On May 12, 2025, the group targeted an unnamed luxury‑goods retailer (referred to as “Company F”). Instead of exploiting a software flaw, the attackers placed two Google Voice calls to the company’s IT help desk, impersonating employees and requesting password and MFA device resets. Within 2–3 hours three accounts, including two IT admin accounts, were compromised.

2.2 Lateral Movement Using Legitimate Tools

After gaining admin credentials, the attackers used the legitimate tools ngrok (a secure tunnel service) and Teleport.sh together with Amazon S3 to exfiltrate data. In three days they stole at least 77 GB of information.

2.3 Ransomware Attempt

The group tried to deploy ransomware, but the victim’s security team detected and evicted them. On May 15 the attackers sent a ransom note demanding $8 million; the company refused, incurring roughly $2 million in downtime and remediation costs.

3. Scattered Spider: A Brand, Multiple Operators

3.1 Real Member Profiles

Noah Urban ("Sosa"/"King Bob") – sentenced to 120 months for SIM‑swap attacks.

Thalha Jubair and Owen Flowers – pleaded guilty in London for a August 2024 attack that crippled the city’s transport system.

Tyler "Tylerb" Buchanan – pleaded guilty in April 2026.

3.2 DragonForce – Ransomware‑as‑a‑Service Ecosystem

Chat logs on Stokes’s server reference the RaaS brand DragonForce . An affiliate complained about a $500 login fee while claiming the group generated over $1 million in revenue.

4. The Real Catch: The Windows GDID That Never Goes Public

4.1 What Is GDID?

GDID (Global Device Identifier) is a persistent, device‑level identifier used by Microsoft to uniquely identify a Windows installation across Microsoft services.

"The global device identifier in the Windows ecosystem is a persistent, device‑level identifier designed to uniquely locate a Windows OS instance across specific Microsoft services."

In plain language: every time the device connects to the internet, Microsoft knows exactly which device it is.

4.2 Why Changing VPN and MAC Address Didn’t Help

Stokes used a proxy IP from the Tzulo hosting provider, believing he was invisible. The FBI did not chase a single IP; instead they cross‑referenced GDID activity with other account IP histories.

Snapchat and Facebook photos placed him in Paris, New York, Bangkok, and Dubai, wearing a diamond necklace labeled “HACK THE PLANET”.

A birthday message bragging about a database of wire‑transfer data matched the birthdate in US State Department records.

On Jan 8, 2025 the same IP accessed his Apple, Ubisoft, and Growtopia accounts within two minutes.

Individually these signals are noise, but their temporal and spatial overlap created an undeniable portrait.

4.3 Key Evidence: GDID 6755467234350028

The indictment’s page 9 reveals that at 19:21 UTC on May 12 2025, the computer bearing GDID 6755467234350028 accessed the ngrok signup page:

"https://dashboard.ngrok.com/signup"

Microsoft logs also show the GDID contacting multiple sites linked to the attack infrastructure, tying the identifier to the entire operation.

5. GDID’s Privacy Pitfall: Is Windows a Monitoring Tool?

5.1 DiagTrack – The Never‑Ending Telemetry Stream

The GDID is reported back to Microsoft via the DiagTrack (Connected User Experience and Telemetry) service, silently sending the identifier to the cloud.

Security expert Matthew Hiko tweeted, "Microsoft Windows is surveillance software."

5.2 Can Reinstalling Windows Remove GDID?

Microsoft documentation states GDID persists across updates but a fresh OS install generates a new GDID. However, the security community notes Microsoft can link new and old GDIDs through the Microsoft account login or IP address, effectively keeping the same profile.

5.3 Does Apple Have a Similar Issue?

Researcher Costin Lau asked on the "Three Friends" podcast whether Apple devices expose an equivalent hardware‑bound identifier, suggesting that true anonymity might require Linux or BSD with VPN/Tor.

6. Red‑Team Perspective: Lessons From the Case

6.1 Attacker View

Social‑engineering phone call – bypasses technical defenses.

MFA reset takeover – exploits the weak link in credential‑reset processes.

Legitimate tools (ngrok, Teleport, S3) – avoid detection.

VPN + proxy infrastructure – masks single‑point IP traces.

Even when each step is executed perfectly, OS‑level telemetry can stitch together a complete digital identity.

6.2 Defender View

MFA reset workflow is a critical blind spot; attackers obtain a fresh MFA token.

Behavioral baselines matter more than signatures; first‑time ngrok tunnels or large S3 uploads are suspicious in context.

GDID is a double‑edged sword: a powerful forensic tool for law enforcement but a hidden privacy risk for all Windows users.

7. Conclusion

The Peter Stokes case marks a watershed in cybersecurity history. It proves two points:

1. Social engineering remains the most effective entry vector – a single phone call, two credential resets, and admin access within three hours, without any zero‑day or malware.

2. OS‑level telemetry, exemplified by the hidden GDID, has become the core battlefield of digital forensics. Its exposure sparks intense debate over privacy boundaries.

For ordinary users, the harsh truth is that device privacy is far less than assumed. For security professionals, the case underscores that attackers already understand defenders’ blind spots, and defenders must start monitoring the unseen system‑level data streams.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

social engineeringngrokdigital forensicsTeleportGDIDWindows telemetry
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.