Peter Stokes allegedly ran his VPN. He allegedly tunneled through ngrok. He used aliases, VeraCrypt references, Google Voice numbers, and a jewelry-heist ransom note routed through anonymous email. Then investigators found the quieter trail: the same Windows Global Device Identifier (GDID) appearing alongside IP addresses also used by accounts tied to him.

TL;DR

  • A 19-year-old US-Estonian dual citizen, Peter Stokes (“Bouquet”), was extradited to Chicago in July 2026 for an alleged Scattered Spider intrusion that demanded $8 million from a luxury jewelry retailer.
  • The forensic breakthrough wasn’t the VPN, the RDP logs, or the ngrok token — it was a GDID (Global Device Identifier), a Microsoft telemetry value tied to a single Windows installation, not to an account, IP, or user identity.
  • The GDID stayed constant across VPN proxies and residential IPs in multiple countries — letting investigators correlate one Windows installation with accounts tied to Snapchat, Apple, Facebook, and Ubisoft.
  • Microsoft records and legal process gave investigators historical device/IP correlations, which is precisely the kind of telemetry many operators assume a VPN erases.
  • The lesson runs both ways: red teamers need to know what actually survives a VPN hop, and blue teamers/investigators now have a sworn federal affidavit showing device-level telemetry succeeding where IP-only tracking would have stalled.

Why This Case Matters

Most “VPN didn’t save the hacker” stories turn out to be sloppy OPSEC — a reused password, a personal email in a WHOIS record, a Telegram handle tied to a real name. This one is different: the complaint describes a device-level identifier that persisted outside the network-layer problem a VPN is meant to solve.

If you do red team, threat intel, or DFIR work, this is a rare public example of how Microsoft-side device telemetry can become an attribution pivot — and it shows which assumptions to test before relying on network-layer anonymity.


Table of Contents


The Breach: $8 Million in Diamonds and Crypto

According to the superseding criminal complaint filed in the U.S. District Court for the Northern District of Illinois (Case No. 25 CR 812), the intrusion into “Company F” — a multibillion-dollar luxury-item retailer — ran from May 12 to May 15, 2025.

It started the way most Scattered Spider intrusions start: not with an exploit, but with a phone call. Threat actors phoned Company F’s IT help desk from two Google Voice numbers, impersonated employees, and talked the help desk into resetting credentials — including multi-factor authentication (MFA) enrollment. Within two to three hours, they had compromised three accounts, two of which belonged to IT administrators with high-privilege access.

From there, they pivoted into Company F’s virtual server infrastructure in a New Jersey data center and installed ngrok, a legitimate tunneling tool normally used by developers to expose local services to the internet. Combined with a utility called Teleport.sh and Amazon S3 for staging, they exfiltrated at least 77 gigabytes of data over three days — despite Company F’s security team actively trying to block them.

On May 15, the actors emailed a ransom note from a compromised Company F account: “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic].” They claimed 100GB of stolen data, including payment card information, and threatened to leak it. Negotiations dragged into June, ending with a demand of “$8million.” Company F refused to pay. Their own security team had already evicted the intruders — but the disruption, investigation, and mitigation still cost the company roughly $2 million.

This is a textbook Scattered Spider (also tracked as Octo Tempest, UNC3944, and 0ktapus) operation: social engineering the help desk to bypass MFA, not exploiting code. MITRE ATT&CK Group G1015 documents dozens of techniques tied to this group, with help-desk impersonation, credential resets, MFA bypass, and valid account abuse near the center of the playbook.


What Actually Went Wrong: Following the Ngrok Trail

Here’s where the case stops being a routine ransomware writeup and becomes a forensics lesson.

Investigators pulled ngrok’s own account records. On May 12, 2025, at 19:21 UTC, an ngrok account was created and assigned to authenticate a tunnel into Company F’s network. Standard stuff — except ngrok logs the IP address used to create the account, not just the IP used to connect through the tunnel.

That signup IP ended in .168, and it resolved to a VPN proxy service hosted on infrastructure in Mount Prospect, Illinois — coincidentally the same town where the actual intrusion took place. On paper, this looks like a dead end: a VPN exit node tells you nothing about who’s behind it.

Except Microsoft doesn’t just see an IP address. It sees a device.


The GDID: What It Is and Why a VPN Can’t Touch It

The affidavit, sworn by FBI Special Agent Ali Sadiq, spells out the mechanism directly. Quoting the complaint verbatim:

“According to Microsoft records, the ngrok account was set up through Global Device Identifier g:6755467234350028 (‘the GDID’). According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device […] across certain Microsoft services and scenarios. A GDID is a globally unique identifier tied to the installation of Windows on a device. A GDID remains consistent across Windows operating system updates on a device, but a reinstall of Windows, either on the same device or on a different device, will be tied to a new unique GDID.”

Read that carefully, because the scope is the whole point. A VPN, a proxy chain, or Tor all operate at the network layer — they change what IP address a packet appears to come from. The GDID is not a network artifact. According to the affidavit, it is tied to a Windows installation and visible to Microsoft across “certain Microsoft services and scenarios.” In this case, Microsoft’s records tied that identifier to the ngrok signup activity and a later visit to Company F’s website.

That means the VPN did exactly what it was supposed to do — it hid the network path. It just never had anything to say about the machine sitting behind it.

Three hours after the ngrok account was created, Microsoft records show the same GDID accessing “[Company F].com” from that same .168 proxy address — placing the ngrok setup and the later visit to the victim’s website on the same Windows installation, whether physical or virtual.


Connecting the Dots: One Device, Three Countries, Five Accounts

A GDID on its own only proves “this is one Windows installation.” It doesn’t come with a name attached. The complaint’s next move is the part worth studying if you do attribution work: correlating that anonymous device identifier against accounts that touched the same IP addresses over time, across services that have nothing to do with each other.

Investigators obtained a reverse court order (18 U.S.C. § 2703(d)) covering two residential Estonian IP addresses believed linked to Stokes, and cross-referenced Microsoft’s returns against RDP connection logs, Apple account access logs, and Snapchat account records. The pattern that fell out:

DateGDID-linked IPGeolocationSame IP also used for
Jun 4, 202491.129.97.xTallinn, EstoniaSubject Facebook + Snapchat accounts (same day)
Nov 17–18, 2024207.237.190.xNew York, NYSubject Apple + Snapchat accounts (same day)
Feb 2, 2025110.170.208.xThailandSubject Snapchat + two Apple accounts (same day)
Jan 7–8, 2025213.35.168.xTallinn, EstoniaUbisoft/Growtopia gaming account, Apple account

The full IP addresses are in the FBI affidavit. They are partially masked here because several are residential or location-linked addresses that may later belong to unrelated users.

The New York and Thailand entries were then physically corroborated: State Department travel records placed Stokes in New York from November 15–18, 2024, and Snapchat images from the account showed him at the Four Seasons and Waldorf Astoria New York, plus a UFC event that took place there on November 16. For Thailand, he’d posted a photo holding a “Waldorf Astoria Bangkok” water bottle the same week the GDID’s IP geolocated there. Investigators even matched the carpet and wallpaper pattern in one of his own Snapchat photos to a New York hotel’s publicly listed room photos.

None of this required breaking encryption or defeating the VPN. It required patience, legal process, and one identifier that sat outside the part of the stack the VPN was designed to hide.


Who Is Peter Stokes

Stokes, using the monikers “Bouquet,” “Spencer,” and “Jordan,” is alleged to have been active in Scattered Spider since at least 2023, tied to intrusions at multiple companies referenced in the complaint only as “Company H” through “Company U.” Microsoft’s own threat intelligence team had already flagged the “spencer” persona in an October 2024 criminal referral, assessing it as “likely true name Peter Stokes” based on independent telemetry — before the GDID evidence in this complaint was assembled.

Snapchat records paint the rest: images of a diamond-encrusted chain reading “HACK THE PLANET” — a line lifted from the 1995 film Hackers — alongside stacks of cash and international travel to Paris, Dubai, Thailand, and multiple luxury hotels, when he was about 17 to 18. Chat logs include a Sopranos-themed meme labeling group members with mafia character names, and a VeraCrypt joke about a fellow member evading a supposed FBI raid (“Guys he’s veracrypted gg”).

He was arrested in Finland on April 10, 2026, while attempting to board a flight to Japan, on an Interpol Red Notice. He was carrying two 2TB external hard drives. He was extradited to the United States and made his first appearance in federal court in Chicago on July 1, 2026. As the Justice Department is careful to note, a complaint is only an allegation — Stokes is presumed innocent unless proven guilty.


OPSEC Lessons for Red Teams

If you run red team infrastructure — or you’re evaluating what an adversary emulation actually needs to hide — this case is a checklist of what a VPN does not cover:

  • Treat reused Windows images as linkable until proven otherwise. The GDID described in the affidavit is tied to the Windows installation, not just the outward-facing IP address. If engagements need to stay unlinkable, validate whether your build process creates fresh device identifiers instead of carrying them forward.
  • Never let an operational machine touch a personal Microsoft-integrated account — Xbox, OneDrive, a synced browser profile, even a Microsoft Store app signed in with a personal ID. That’s the bridge between an anonymous GDID and a named human.
  • Assume cross-service correlation is possible even when the target service is not Microsoft-owned. In this case, Microsoft records, Snapchat records, Apple records, Facebook records, Ubisoft records, and IP timing became mutually reinforcing evidence.
  • A VPN protects your source IP. It does not protect device-level or account-level telemetry generated above the network layer. Treat those as separate threat surfaces with separate mitigations.
  • The field itself was never secret — it just lived in the wrong documentation. Microsoft’s own Azure Monitor schema reference for the UCDOStatus table (used for enterprise Windows Update reporting) lists a GlobalDeviceId column, described only as “Microsoft global device identifier… used by Microsoft internally,” sitting next to City, Country, and ISP fields. If you’re validating whether an engagement image is unintentionally enrolled somewhere queryable, Update Compliance / Delivery Optimization schemas are worth checking — independent of the unverified generation-mechanism claims below.

This is the same category of mistake covered in our Entra ID device registration and PRT theft piece — identity and device-bound tokens keep working regardless of which IP you present them from.


Detection Lessons for Blue Teams

For defenders and investigators, this case validates a specific idea: device-level identifiers, not just IP or account telemetry, can be a legitimate investigative pivot for tying anonymized infrastructure back to a real actor.

Practical takeaways:

  • If your organization runs Microsoft 365 / Entra ID, do not assume account names and IP addresses are the only useful pivots. Microsoft-side device identifiers may exist, and in this case they were obtainable through legal process.
  • Criminal referrals from vendors like Microsoft — as happened here before the arrest — are a real and underused channel. Cybersecurity researchers inside large platforms already do the clustering work described in this affidavit as threat-tracking practice, not a one-off favor to the FBI.
  • When building your own incident timelines, don’t discard “unrelated” service logins as noise. In this case, Snapchat, Apple, Facebook, Ubisoft, Microsoft, ngrok, and RDP records became useful because investigators compared timing and IP overlap across sources that normally sit in separate boxes.

Why this took a court filing to surface, instead of a privacy researcher: The GlobalDeviceId field is not new or hidden — Microsoft has documented it for years in the Azure Monitor schema for the UCDOStatus table, part of enterprise Windows Update reporting. It was sitting in IT-admin-facing documentation, not in the consumer telemetry/privacy-research literature that usually gets adversarial scrutiny — two audiences that rarely read each other’s docs. Independent researchers have since published early technical write-ups attempting to reverse-engineer exactly how the identifier is generated and transmitted client-side. Those specifics are not confirmed by Microsoft or by any court filing, so treat them as a working hypothesis worth watching rather than an established mechanism — this is a case where the correlation power was demonstrated by legal process well before the underlying plumbing was independently verified.

For more on how attribution actually gets built from imperfect OPSEC rather than a single smoking gun, see our writeup on TeamPCP’s supply chain compromises, and for the broader arrest landscape this case fits into, how Europol is catching cybercriminals in 2026.


What You Can Do Today

You don’t need to be running a ransomware crew for this to matter. The same telemetry model applies to any Windows device you’re responsible for securing or investigating.

  1. Inventory what “anonymous” actually means in your environment. If a Windows installation touches Microsoft-observed services, do not assume a VPN makes that device anonymous to Microsoft — plan your threat model accordingly.
  2. For DFIR teams: when requesting legal process against Microsoft, ask specifically about device identifiers, not just account or IP records — this case shows they can be the strongest correlating evidence available.
  3. For red teams and pentesters: rebuild engagement VMs from a clean OS image per engagement, and never let engagement infrastructure touch a personally-identifiable Microsoft account, even briefly.
  4. For everyone else: remember that a VPN is one layer of a stack. Device fingerprints, account telemetry, and behavioral correlation across unrelated services can all survive a VPN hop untouched.


Sources

A complaint is an allegation, not a conviction. All individuals named are presumed innocent unless and until proven guilty in a court of law.