Microsoft’s advanced telemetry capabilities have played a pivotal role in identifying a suspected member of the Scattered Spider hacking group, despite the individual’s attempts to conceal their identity through a VPN. This revelation comes from a recently unsealed criminal complaint against Peter Stokes, a 19-year-old dual U.S. citizen, whose extradition to the United States was reported last week.
Investigative Techniques Unveiled
The investigation relied on a multifaceted approach, utilizing Microsoft’s Windows telemetry alongside provider records, VPN logs, social media evidence, and infrastructure seized during the inquiry. While VPNs are typically effective in masking an individual’s internet connection, Microsoft was able to link the suspect’s activities to a consistent Windows device identifier that persisted across various online platforms.
At the heart of the complaint is a significant cybersecurity breach that occurred in May 2025 at a luxury jewelry retailer, which allegedly resulted in the theft of approximately 77 GB of sensitive data and an million ransom demand. During this incident, the attackers reportedly established a persistent connection to the victim’s network via an ngrok account, which was traced back to an IP address belonging to a VPN proxy server operated by Tzulo in Mount Prospect, Illinois.
Typically, a VPN endpoint would provide minimal insight into the user behind the connection. However, investigators noted that Microsoft’s visibility extended beyond mere IP addresses. The complaint details how Microsoft recorded that the device responsible for creating the ngrok account was associated with a Global Device Identifier (GDID)—a unique identifier linked to a specific Windows installation that remains unchanged through operating system updates and is only regenerated upon reinstallation of Windows.
Crucially, Microsoft’s records indicated that the same Windows device accessed ngrok’s signup page precisely when the malicious account was created. Investigators assert that this GDID was also detected accessing Microsoft services from the same VPN infrastructure utilized during the attack, including the .168 VPN server used to register the ngrok account. Approximately three hours later, the same device allegedly accessed the victim company’s website through that VPN connection.
The FBI subsequently correlated the GDID with activities across Stokes’ Apple, Snapchat, and Facebook accounts. Prosecutors argue that the Windows device consistently shared identical IP addresses with accounts already linked to Stokes, including residential connections in Tallinn, Estonia, and public IP addresses noted during his travels in New York, as well as hotel and mobile connections utilized during trips to Thailand. The complaint also references travel records and Snapchat posts that purportedly placed Stokes in these locations at the relevant times, enabling investigators to connect the Windows device to its user despite the VPN’s presence during the alleged intrusion.
Moreover, the complaint emphasizes that Microsoft telemetry was merely one element of a comprehensive array of evidence. Investigators also referenced server logs recovered from infrastructure allegedly associated with Scattered Spider, along with records from ngrok, Google, Teleport.sh, and various cloud providers, as well as seized social media accounts, all of which they claim independently corroborate the attribution.
This case serves as a poignant reminder that while VPNs are designed to obscure network paths, they do not necessarily conceal device identity. Modern operating systems and online services generate a plethora of persistent identifiers and behavioral signals that, when aggregated with provider records and legal processes, can enable investigators to correlate activities across seemingly disparate accounts and sessions.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.