Press TechRound interviews Secure.com CEO on the future of AI security
Read

A Hidden Windows ID Helped the FBI Catch a Scattered Spider Suspect

A hidden Windows device ID helped the FBI tie a 19-year-old to Scattered Spider ransomware attacks and led to his arrest and charges.

Dateline: July 7, 2026 

Inside the Digital Trail That Cracked a Scattered Spider Case

Most people never think about the quiet ID that Windows carries under the hood. One alleged hacker probably wishes he had. That small identifier helped the FBI tie a 19-year-old to a wave of Scattered Spider attacks and put him in handcuffs.

What Happened? 

Federal prosecutors say Peter Stokes, a dual U.S. and Estonian citizen, ran with the Scattered Spider crew under names like Bouquet, Spencer, and Jordan. The group is also tracked as Octo Tempest, UNC3944, and 0ktapus.

The break in the case came from a Global Device Identifier, or GDID. It is a stable ID that marks a single Windows install across some Microsoft services. It survives operating system updates and only resets on a fresh install.

According to an FBI affidavit, one GDID set up an account for ngrok, a tunneling tool, at the exact minute an attack kicked off against a luxury jewelry retailer in May 2025. The same device later browsed the victim’s site through a VPN proxy.

From there, agents connected the dots. They matched IP addresses tied to that device against login records from the suspect’s Snapchat, Facebook, and Apple accounts. On several dates, from Tallinn to New York to Thailand, the device and his personal accounts logged in from the same IPs within hours. Travel records and hotel photos he posted online backed it up.

The attack itself followed the classic Scattered Spider playbook. It started with phishing calls to the company’s IT help desk using spoofed numbers. Staff were tricked into resetting multifactor authentication on three accounts, two with admin rights. The crew then stole about 77 gigabytes of data and demanded an 8 million dollar ransom, which the company refused to pay.

What’s the Impact? 

Prosecutors link Scattered Spider to more than 100 break-ins and over 100 million dollars in ransom payments, hitting everything from insurance to critical infrastructure.

A seized server tied to the case held stolen files from at least a dozen more victims. It also held a custom Telegram bot and virtual Android phones loaded with Okta and Azure Authenticator apps, used to beat MFA.

The suspect was picked up in Finland in April 2026 as he tried to board a flight to Japan. He now faces charges including computer fraud, wire fraud, and extortion.

The takeaway for defenders is bigger than one arrest. Device-level data, once used mainly to catch payment fraud, is turning into a serious tool for pinning cybercrime on real people. But that is forensics after the damage is done. The break-in still worked because a help desk trusted a phone call.

How to Avoid This 

The attack path here is familiar, so the fixes are practical:

  • Train help desk staff to verify identity before resetting MFA or passwords. A confident caller is not proof of anything.
  • Add strong checks for high-risk actions like MFA resets on admin accounts. Require a second approver.
  • Move to phishing-resistant MFA such as hardware keys, which are far harder to socially engineer around.
  • Watch for odd tunneling tools like ngrok and unusual data transfers to services like S3 leaving your network.
  • Flag logins and privilege changes that do not fit normal patterns, then investigate fast before 77 gigabytes walks out the door.

When a Phone Call Can Reset Your Admin Access, Trust Needs Backup 

Scattered Spider does not break your firewall. They talk their way past your people, then move fast. Secure.com gives you AI Digital Security Teammates that watch for the moves a smooth phone call cannot hide.

  • Catch suspicious MFA resets and privilege changes as they happen, not in next week’s log review.
  • Spot unusual tunneling tools and large outbound transfers before the data is gone.
  • Flag logins that break a user’s normal location and device pattern.
  • Connect identity, endpoint, and cloud signals so one weird event does not slip through.
  • Give lean teams around-the-clock eyes without adding night shift staff.