Microsoft Device ID Used to Track Scattered Spider Hacker

Microsoft Device ID Used to Track Scattered Spider Hacker

First seen 6 Jul 2026, 23:49 UTC Itnews.AuUk.PcmagCybersecuritynewsGbhackersThehackernews+1 87% similarity 48.9

Article Content

Browse articles
ThreatCluster

Peter Stokes, a 19-year-old hacker, was arrested in Finland on April 10, 2026, for allegedly being part of the Scattered Spider hacking group. The FBI linked him to a US$8 million ransom demand against a luxury retailer using a Microsoft Global Device ID (GDID). Despite using a VPN, Stokes' GDID was identified through Microsoft telemetry and ngrok access records. The FBI's investigation revealed that Stokes' GDID was associated with multiple IP addresses across different countries, corroborated by Snapchat and Apple account access logs. Stokes faces six charges, including conspiracy and extortion, as part of a broader crackdown on the Scattered Spider group, which has been linked to over 100 attacks and more than US$100 million in extortion. The case raises concerns about user privacy and the potential for abuse of device tracking technologies.

Key Points: • Peter Stokes was arrested for his involvement with the Scattered Spider hacking group. • Microsoft's Global Device ID was crucial in linking Stokes to his alleged crimes. • The case highlights concerns over user privacy and potential surveillance via device identifiers.

ThreatCluster AI

Timeline

2025-05-12
Stokes allegedly hacked luxury retailer
Peter Stokes is accused of exploiting a web development tool to breach a luxury jewelry retailer's network.
Uk.Pcmag
2026-04-10
Stokes arrested in Finland
Peter Stokes was apprehended while trying to board a flight to Japan, facing multiple hacking charges.
Itnews.Au
2026-07-06
Microsoft's role in investigation revealed
Reports detailed how Microsoft telemetry helped the FBI track Stokes using his Global Device ID.
Uk.Pcmag
2026-07-07
Details of the case published
Federal complaints outline the use of GDID and other telemetry in linking Stokes to extortion activities.
Cybersecuritynews

Community

Browse all →