Windows 11 identifier code used to track Scattered Spider perp after Microsoft shared info with FBI — 19-year-old US-Estonian hacker arrested over alleged ties to infamous extortion group
The Department of Justice, with the help of the FBI and Finland’s National Bureau of Investigation, has arrested a teenager it says is part of Scattered Spider. 19-year-old Peter Stokes is a dual U.S.-Estonian citizen who was trying to board a flight to Japan from Helsinki, when law enforcement caught up with him. Microsoft’s GDID also played a part in the Stokes being apprehended. The accused is now awaiting trial, having been charged with conspiracy, cyber intrusion, and fraud.
Scattered Spider is one of the biggest cybercrime syndicates on the planet, having extorted over $100 million in ransom payments, according to the DOJ. The group also operates under the names Octo Tempest, UNC3944, and Oktapus, and is renowned for its social engineering tactics. As such, the main criminal complaint against Stokes stems from a May 2025 attack on a luxury jewelry dealer based in the United States.
The attackers apparently called the company’s IT helpdesk using Google Voice, posing as employees. They were able to convince the help desk into resetting their credentials, which allowed them to infiltrate three accounts, two of which had admin privileges. From there, the group, allegedly including Stokes, stole important data and held the jeweler at ransom, demanding an $8 million payment in crypto.
The company ultimately regained access to their infrastructure and avoided paying the ransom, but the operational disruption still caused a purported $2 million in losses. This served as the spark that led to Stokes’ eventual arrest in Helsinki, as the prosecutors slowly followed the paper and digital trail laid by the attackers. Microsoft played a key role in the process by providing GDID data to the FBI to help them apprehend the alleged criminal.
GDID stands for Global Device Identifier; it’s a unique identifier assigned to every Windows install that tracks device-specific telemetry. It’s the reason why sometimes changing a major component in your PC can revoke your Windows license. Anyhow, the court documents from the case reveal that Stokes used Windows, from which investigators were able to link his physical hardware to specific internet activity and locations.
> Peter Stokes> Scattered Spider guy> Arrested> Microsoft helps FBI> Read court documents> Page 12> Microsoft tracks Stokes from GDID> Microsoft Global Device Identifier (GDID)> Stokes used Windows> Page 34> GDID assigned to each OS install> GDID unique to each device… pic.twitter.com/f0fuz0uoMaJuly 4, 2026
From what we can tell, GDID pretty much had a comprehensive report on Stokes ready before the prosecution even built its case and it was only a matter of connecting the dots. Stokes’ web activity, videogame history, IP addresses, tool usage (including Ngrok), Azure status, and more were logged with timestamps, and were provided to the investigators by Microsoft.
Of course, this raises questions over just how granular and potentially invasive Microsoft’s telemetry can be. In this case, it was used to arrest an alleged hacker, but what if someone else, someone with malign intentions, were to get access to all this data instead? Tech-savvy consumers have complained about Windows’ excessive telemetry for a long time; the whole debloating culture is a byproduct of this precedent, but GDID is not something you can remove or disable with the click of a button.
Nevertheless, Stokes was carrying two hard drives full of incriminating evidence with him when boarding his flight to Japan, so that helped, too. His real identity has actually been known since 2024, but since he was a minor living across Estonia and the UAE at the time, he could only be monitored until the time was right. Following the arrest, Stokes was extradited to the U.S., where he appeared in front of a federal court in Chicago for the first time on June 30, 2026, and he remains in custody.