
Your Windows is watching you. The US Justice Department's complaint against Peter Stokes for alleged involvement in the Scattered Spider hacking group offers a reminder that it's difficult to hide online activity from Microsoft's operating system (or any other). Scattered Spider, according to US authorities, targeted numerous companies in the US by compromising employee accounts in order to access more than 100 corporate networks and exfiltrate or encrypt data that would be ransomed for payment. The group is said to have obtained over $100 million in ransom payments. The complaint, arrest, and extradition of Stokes relied in part on a Microsoft Windows Global Device Identifier (GDID), among other telemetry records, to link online activity to the suspect. "According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios," explained FBI special agent Ali Sadiq in an affidavit accompanying the DOJ's criminal complaint. The court filing also notes that Microsoft made criminal referrals to the DOJ implicating Stokes. It points to an October 2024 referral that cites online service telemetry that company security researchers believe linked Stokes to other hacking group members. Social media posts relevant to Scattered Spider, supposedly sent and received by Stokes, look unlikely to help his defense. The affidavit says that members of Scattered Spider used a web tunneling tool called ngrok to avoid network barriers and maintain access to compromised servers, as well as a VPN service called Tzulo. Investigators obtained IP address records from ngrok and the VPN provider and then obtained records from Microsoft that matched the time when that ngrok account had been set up on a Windows machine through a specific GDID. "According to Microsoft records, on or about May 12, 2025, at 19:21 UTC - when, according to ngrok records, the ngrok account was created - the device with the GDID accessed, among other ngrok pages, '
https://dashboard.ngrok.com/signup,' the ngrok page to set up an ngrok account," the affidavit explains. Microsoft's GDID records also showed that the Windows device with that GDID accessed Tzulo servers assigned to the IP address identified by ngrok. And the GDID was subsequently linked to an IP address in Estonia where Stokes resided. The Windows GDID, or at least the infrastructure for it, is said to date back to the release of Windows 10 in 2015. The GDID itself doesn't show up much in online documentation until 2021 or thereabouts. According to a developer writeup posted to GitHub, wlidsvc (Microsoft Account service) provisions the device with login.live.com and gets back a device PUID. The identifier is then stored in the registry. The Connected Devices Platform (cdp.dll / CDPSvc) reads it and registers it into the Device Directory Service (DDS) graph. And after that, Delivery Optimization reports it as the documented UCDOStatus.GlobalDeviceId. Apple maintains similar identifiers, including a hardware UUID and a DSID (Destination Signaling Identifier) [PDF] tied to iCloud, among others. Linux also supports a machine-id. And when presented with a lawful demand for information, most service providers will cooperate and provide whatever information they store. (R)