He Thought He Was Invisible with VPN and Tunneling: A Hidden Code in Windows 11 Betrayed Him
For years, Windows telemetry has been at the center of the debate between those who see it as a useful tool to improve the operating system and those who consider it a potential risk to privacy and a burden on performance.
A recent court case in the United States, however, shows how one of the data collected by the operating system can also take on an investigative role: the Windows Global Device Identifier (GDID) has indeed helped to link a computer to a series of cyberattacks attributed to the cybercriminal group Scattered Spider.
The U.S. Department of Justice announced the arrest and extradition from Finland of nineteen-year-old Peter Stokes, a U.S. and Estonian citizen, accused of conspiracy, computer fraud, and unauthorized access to systems. According to the charges, the young man was part of Scattered Spider, an organization also known by the names Octo Tempest, UNC3944, and 0ktapus, which is believed to be responsible for over 100 cyber intrusions and ransom demands totaling more than $100 million.
The investigation focused, among other incidents, on an attack that occurred in May 2025 against a luxury jewelry retailer. According to investigators, the attackers contacted the company’s IT support service by posing as employees, convincing the staff to reset the access credentials. After obtaining three accounts, two of which had administrative privileges, the group stole sensitive data and made a ransom demand of approximately 8 million dollars in cryptocurrency. The company did not pay, but still suffered estimated damages of at least 2 million dollars due to business disruption, investigations, and recovery operations.
One of the technical elements used by investigators was the Global Device Identifier (GDID), an identifier associated with every installation of Windows. This code, generated based on certain hardware characteristics of the system, is also used by the Windows license activation mechanism: substantial changes to the PC's configuration can indeed result in the generation of a new identifier and require a new activation of the operating system.
According to the prosecution's documents, the GDID was detected in authentication logs, communications with cloud services, and metadata collected during activities attributed to the attackers. The presence of the same identifier in connections to remote servers, command and control infrastructures, and compromised systems allowed investigators to link seemingly unrelated operations to the same Windows installation.
Authorities claim that Stokes attempted to mask his identity through a VPN and by creating an account on the ngrok tunneling service, designed to obscure the origin of network traffic. However, those measures were not sufficient to conceal the GDID. Following a court order, Microsoft provided the identifier to the authorities, who cross-referenced it with ngrok's timestamp records, IP addresses observed between Tallinn, New York, and Thailand, and accesses to personal accounts, including Snapchat, Apple, and Facebook.
Investigators also stated that during the arrest at Helsinki airport last April - when the nineteen-year-old was about to board a flight to Japan - two hard drives containing material deemed relevant to the investigation were seized. Forensic analysis confirmed the match between the GDID present in the remote logs and that of the physically seized computer, along with the presence of hacking tools, configurations used in the attacks, and copies of the ransomware employed.
The investigation highlights how the GDID is just one of the many elements used to build the evidence. Investigators emphasize that they combined the Windows identifier with IP addresses, logs of the services used, data from compromised servers, and other digital evidence.
Finally, it should be remembered that the charges against Peter Stokes currently represent allegations by the prosecution. As specified by the U.S. Department of Justice itself, the defendant should be considered innocent until a final conviction is pronounced by a court.