How a Hidden Windows GDID and a Single Photo Exposed a Top Hacker
An FBI forensic analysis reveals how the Global Device Identifier (GDID) embedded in Windows, combined with cross-referenced social media photos and IP data, unraveled a sophisticated social‑engineering attack by the Scattered Spider group, exposing the limits of VPNs, MAC spoofing, and legitimate tunneling tools.
1. Airport Arrest – What Was on the Hard Drives?
On April 10, 2026, 19‑year‑old Peter Stokes, a dual US‑Estonia citizen, was stopped at Helsinki Airport while attempting to board a flight to Japan. He is identified as a core member of the Scattered Spider (also known as Octo Tempest) hacking group. A 35‑page criminal indictment released by the Northern District of Illinois details more than 100 network intrusions linked to over $1 billion in ransomware payments.
2. A Phone Call Breached a Multi‑Billion‑Dollar Retail Defense
2.1 Attack Start: Social‑Engineering Phone Call
On May 12, 2025, the group targeted an unnamed luxury‑goods retailer (referred to as “Company F”). Instead of exploiting a software flaw, the attackers placed two Google Voice calls to the company’s IT help desk, impersonating employees and requesting password and MFA device resets. Within 2–3 hours three accounts, including two IT admin accounts, were compromised.
2.2 Lateral Movement Using Legitimate Tools
After gaining admin credentials, the attackers used the legitimate tools ngrok (a secure tunnel service) and Teleport.sh together with Amazon S3 to exfiltrate data. In three days they stole at least 77 GB of information.
2.3 Ransomware Attempt
The group tried to deploy ransomware, but the victim’s security team detected and evicted them. On May 15 the attackers sent a ransom note demanding $8 million; the company refused, incurring roughly $2 million in downtime and remediation costs.
3. Scattered Spider: A Brand, Multiple Operators
3.1 Real Member Profiles
Noah Urban ("Sosa"/"King Bob") – sentenced to 120 months for SIM‑swap attacks.
Thalha Jubair and Owen Flowers – pleaded guilty in London for a August 2024 attack that crippled the city’s transport system.
Tyler "Tylerb" Buchanan – pleaded guilty in April 2026.
3.2 DragonForce – Ransomware‑as‑a‑Service Ecosystem
Chat logs on Stokes’s server reference the RaaS brand DragonForce . An affiliate complained about a $500 login fee while claiming the group generated over $1 million in revenue.
4. The Real Catch: The Windows GDID That Never Goes Public
4.1 What Is GDID?
GDID (Global Device Identifier) is a persistent, device‑level identifier used by Microsoft to uniquely identify a Windows installation across Microsoft services.
"The global device identifier in the Windows ecosystem is a persistent, device‑level identifier designed to uniquely locate a Windows OS instance across specific Microsoft services."
In plain language: every time the device connects to the internet, Microsoft knows exactly which device it is.
4.2 Why Changing VPN and MAC Address Didn’t Help
Stokes used a proxy IP from the Tzulo hosting provider, believing he was invisible. The FBI did not chase a single IP; instead they cross‑referenced GDID activity with other account IP histories.
Snapchat and Facebook photos placed him in Paris, New York, Bangkok, and Dubai, wearing a diamond necklace labeled “HACK THE PLANET”.
A birthday message bragging about a database of wire‑transfer data matched the birthdate in US State Department records.
On Jan 8, 2025 the same IP accessed his Apple, Ubisoft, and Growtopia accounts within two minutes.
Individually these signals are noise, but their temporal and spatial overlap created an undeniable portrait.
4.3 Key Evidence: GDID 6755467234350028
The indictment’s page 9 reveals that at 19:21 UTC on May 12 2025, the computer bearing GDID 6755467234350028 accessed the ngrok signup page:
"https://dashboard.ngrok.com/signup"
Microsoft logs also show the GDID contacting multiple sites linked to the attack infrastructure, tying the identifier to the entire operation.
5. GDID’s Privacy Pitfall: Is Windows a Monitoring Tool?
5.1 DiagTrack – The Never‑Ending Telemetry Stream
The GDID is reported back to Microsoft via the DiagTrack (Connected User Experience and Telemetry) service, silently sending the identifier to the cloud.
Security expert Matthew Hiko tweeted, "Microsoft Windows is surveillance software."
5.2 Can Reinstalling Windows Remove GDID?
Microsoft documentation states GDID persists across updates but a fresh OS install generates a new GDID. However, the security community notes Microsoft can link new and old GDIDs through the Microsoft account login or IP address, effectively keeping the same profile.
5.3 Does Apple Have a Similar Issue?
Researcher Costin Lau asked on the "Three Friends" podcast whether Apple devices expose an equivalent hardware‑bound identifier, suggesting that true anonymity might require Linux or BSD with VPN/Tor.
6. Red‑Team Perspective: Lessons From the Case
6.1 Attacker View
Social‑engineering phone call – bypasses technical defenses.
MFA reset takeover – exploits the weak link in credential‑reset processes.
Legitimate tools (ngrok, Teleport, S3) – avoid detection.
VPN + proxy infrastructure – masks single‑point IP traces.
Even when each step is executed perfectly, OS‑level telemetry can stitch together a complete digital identity.
6.2 Defender View
MFA reset workflow is a critical blind spot; attackers obtain a fresh MFA token.
Behavioral baselines matter more than signatures; first‑time ngrok tunnels or large S3 uploads are suspicious in context.
GDID is a double‑edged sword: a powerful forensic tool for law enforcement but a hidden privacy risk for all Windows users.
7. Conclusion
The Peter Stokes case marks a watershed in cybersecurity history. It proves two points:
1. Social engineering remains the most effective entry vector – a single phone call, two credential resets, and admin access within three hours, without any zero‑day or malware.
2. OS‑level telemetry, exemplified by the hidden GDID, has become the core battlefield of digital forensics. Its exposure sparks intense debate over privacy boundaries.
For ordinary users, the harsh truth is that device privacy is far less than assumed. For security professionals, the case underscores that attackers already understand defenders’ blind spots, and defenders must start monitoring the unseen system‑level data streams.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
