Microsoft's telemetry capabilities helped identify Peter Stokes, a 19-year-old suspected member of the Scattered Spider hacking group, despite his use of a VPN. The investigation revealed a significant cybersecurity breach in May 2025 at a luxury jewelry retailer, leading to the theft of approximately 77 GB of sensitive data and a ransom demand. Investigators linked Stokes to the breach through a Global Device Identifier (GDID) associated with a Windows device that created an ngrok account used in the attack. This device accessed various online platforms and shared IP addresses with Stokes' accounts on Apple, Snapchat, and Facebook, corroborated by travel records and social media posts. The evidence included server logs from Scattered Spider's infrastructure and records from ngrok and other providers.