A 19-year-old, identified as Peter Stokes, found himself detained at Helsinki airport in April 2026 while en route to Japan, carrying two 2TB hard drives. His travel plans were abruptly halted due to an Interpol Red Notice, leading to a federal complaint from U.S. prosecutors by July. Stokes is alleged to be part of the Scattered Spider hacking group, implicated in a May 2025 breach of a U.S. luxury jewelry retailer that culminated in an million ransom demand. This incident, however, is not merely a tale of youthful indiscretion; it highlights the role of technology in modern investigations, particularly the Global Device Identifier (GDID) developed by Microsoft.
What is GDID, and where does it come from
The GDID, as described by a Microsoft representative in the complaint, is a “persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios.” Essentially, the GDID serves as a permanent digital fingerprint assigned to a computer upon the installation of Windows or when signing into a Microsoft account. While primarily used for software licensing and managing Windows Store apps, it also links all online activities back to a single identity, enabling law enforcement to trace a device’s true owner across the internet.
This identifier remains intact through Windows updates but does not survive a clean reinstall. Microsoft acknowledges that a single user could have multiple GDIDs throughout the lifespan of their account. Despite its significance, Microsoft has provided scant information about the GDID, with only a single mention in their Azure Monitor documentation, leaving independent researchers to reverse engineer its workings.
How Windows generates a GDID
The generation of a GDID begins with the Microsoft Account service. When a device is provisioned against a Microsoft Account, a system service known as wlidsvc communicates with login.live.com to retrieve a Device PUID (Passport Unique ID). This ID is not computed locally but is assigned by the server and stored in the registry. The Connected Devices Platform then reads this PUID and registers it within Microsoft’s Device Directory Service, where it is transformed into a GDID format.
In simpler terms, when a user signs into Windows with a Microsoft Account, a permanent ID is assigned and stored locally. This ID is accessed by various background services and reported back to Microsoft during activities such as software updates. Reinstalling Windows results in a new GDID, but Microsoft retains the ability to link this new identifier back to the user’s previous activities through their account.
How the FBI used GDID to catch Stokes
Stokes’ downfall was largely due to his use of the same Windows device for all his activities, allowing the GDID to connect the dots after the fact. Members of the Scattered Spider group contacted the jewelry retailer’s IT help desk, impersonating locked-out employees to reset accounts and subsequently installed a tunneling tool to bypass network defenses. They exfiltrated approximately 77 gigabytes of data to Amazon cloud storage and attempted to deploy ransomware, ultimately demanding million in cryptocurrency.
When investigators subpoenaed ngrok, they discovered the account used in the attack had been created from a VPN proxy IP address. However, the GDID provided a more reliable trail. Microsoft’s records indicated that at the same time the ngrok signup occurred, a Windows device with GDID g:6755467234350028 had accessed the signup page. This same GDID later visited the retailer’s website through the same proxy, providing a consistent link that did not change like typical VPN exit nodes.
As the investigation progressed, agents compiled a timeline of IP addresses associated with the GDID, cross-referencing them with known logins to accounts linked to Stokes. This meticulous approach revealed a pattern of activity across multiple countries, ultimately leading to Stokes’ identification.
Why this bothers privacy researchers, even with a hacker caught
While there is no dispute regarding the appropriateness of Stokes’ arrest, privacy advocates express concern over the implications of the GDID system. Prominent malware researcher Costin Raiu raised questions about the existence of similar identifiers on other platforms, while Matthew Hickey labeled Windows as “surveillance software.”
Two primary concerns arise from this case:
- There is no consent mechanism for the assignment of a GDID. Unlike Apple and Android, which require user prompts for tracking identifiers, the GDID is automatically assigned upon signing into a Microsoft Account, with no visible option to reset it.
- Windows activation processes send hardware information to Microsoft, linking identifiers back to the user’s account. This makes it challenging to prevent the assignment of a GDID without risking software activation issues.
Although all major operating systems maintain some form of persistent device identity, Microsoft’s approach raises questions about transparency and user control compared to competitors like Apple and Google.
What you can do about it
Reinstalling Windows does not provide a straightforward solution, as users will receive a new GDID that can still be linked to their previous activity. Instead, consider the following measures:
- Utilize a local account instead of a Microsoft Account, although this option has become increasingly difficult to navigate.
- Disable optional diagnostic data under Settings > Privacy & security > Diagnostics & feedback.
- Block Advertising IDs by turning off personalized ads and tracking under Privacy & security > Recommendations & offers.
- Disable Cloud Search by turning off Cloud Content Search from Privacy & security > Search.
- Consult guides on removing unwanted AI features and background services from Windows 11.
- For sensitive activities, consider using Linux routed through Tor instead of Windows, as the GDID remains tied to the Windows installation regardless of the VPN used.