A newly released court filing has revealed that a unique Windows device identifier played an important role in helping the FBI identify and trace an alleged member of the Scattered Spider cybercrime group. Investigators said Microsoft provided technical information that helped connect the suspect’s Windows device to online activity. The case has drawn attention because it shows how device telemetry can support criminal investigations. It has also sparked fresh discussions about digital privacy and security.

windows-security-device-telemetry-cybercrime-investigation

The suspect has been identified as 19-year-old Peter Stokes, a dual U.S.-Estonian citizen. According to the U.S. Department of Justice, he is accused of being involved with the Scattered Spider hacking group, which is also tracked by security researchers under names including Octo Tempest, UNC3944, and Oktapus. Authorities arrested him in Helsinki, Finland, while he was reportedly preparing to board a flight to Japan. He was later extradited to the United States to face multiple criminal charges.

The investigation mainly focused on a cyberattack carried out in May 2025 against a U.S.-based luxury jewelry company. Prosecutors allege that the attackers contacted the company’s IT help desk while pretending to be employees. By convincing staff to reset account credentials, they gained access to company systems, including administrator accounts. The attackers later demanded an $8 million cryptocurrency ransom after stealing sensitive business data.

helsinki-finland-airport-fbi-hacker-arrest

Although the company successfully regained control of its systems without paying the ransom, investigators said the attack still caused around $2 million in operational losses. During the investigation, Microsoft shared information with the FBI that included a Global Device Identifier, also known as GDID. This identifier is linked to a specific Windows installation and can help associate a device with certain online activities. Investigators used this information as part of the evidence collected in the case.

According to the court documents, the suspect allegedly tried to hide his identity by using a VPN and the secure tunneling service Ngrok. However, investigators claim that the Windows GDID remained consistent and helped connect different internet sessions to the same device. The FBI also compared the timing of these records with other digital evidence. This helped strengthen the connection between the device and the alleged online activity.

vpn-ngrok-anonymity-cyber-investigation

The investigation did not rely only on Microsoft data. Court filings state that records from services such as Snapchat, Apple, and Facebook were also reviewed to compare login activity with the device’s internet history. Investigators found several instances where account logins closely matched the same IP addresses and timeframes linked to the Windows device. Prosecutors say these combined records helped build a stronger timeline of the suspect’s movements.

Authorities also said Peter Stokes was carrying two hard drives when he was arrested in Finland. Investigators believe the drives contained evidence relevant to the case. Court documents further note that law enforcement had been aware of his identity since 2024, but legal action was delayed because he was a minor and was living outside the United States. He has since appeared before a federal court in Chicago and remains in custody while the legal process continues.

federal-court-cybercrime-prosecution-gavel

The case has generated wider discussion within the cybersecurity community because it highlights how operating system telemetry can assist criminal investigations. While officials say the information helped identify an alleged cybercriminal, privacy experts have also raised questions about how much device data is collected and how it may be used. The legal proceedings against Peter Stokes are still ongoing, and the allegations have not yet been proven in court. The investigation remains part of broader efforts to disrupt the activities of the Scattered Spider cybercrime group.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news