On July 1, 2026, the US Department of Justice and the FBI announced the extradition of a 19-year-old hacker. The US-Estonian citizen, Peter Stokes, was extradited from Finland to face trial in a Chicago federal court. Authorities accuse Stokes of joining the notorious “Scattered Spider” hacking syndicate. He allegedly participated in numerous cyberattacks. Furthermore, Stokes was arrested on April 10 at Helsinki Airport while attempting to travel to Japan. At that time, the United States had already issued an international arrest warrant.
Microsoft Aids Law Enforcement Through GDID
Currently, the cybersecurity community is intensely debating this revelation. Documents released by the Department of Justice explicitly mention this tracking method. Microsoft utilizes the Global Device Identifier (GDID) to trace specific Windows devices. The GDID is a unique string generated during the initial Windows installation. Consequently, this identifier remains constant unless the user completely wipes the drive and reinstalls the operating system.
How Windows Telemetry Transmits Data
The GDID transmits device activity through telemetry and Azure monitoring logs. Specifically, Microsoft can potentially link the GDID to precise web browsing activities. It also tracks IP address history, which persists even if the user activates a VPN. Furthermore, it reveals overall internet usage patterns. However, this topic remains controversial. Experts cannot yet confirm the exact scope of data Microsoft ultimately collects.
Tracking Scattered Spider Across the Globe
As early as 2022, Microsoft had already identified Stokes. The GDID precisely matched the same Windows device across multiple global locations. These locations notably included Estonia, New York, and Thailand. Therefore, this telemetry perfectly aligned with the timeline of the criminal offenses. The device fingerprint allowed for precise identification and continuous tracking. This remained true even when the hacker utilized a VPN or relocated. By October 2024, Microsoft could positively identify Stokes. This breakthrough conclusively completed the attribution process.
The Hidden Power of Windows Analytics
Microsoft rarely mentions the GDID in its public MSDN documentation. The company primarily utilizes this identifier for internal analytics. Nevertheless, this case highlights the formidable attribution capabilities of device-level telemetry. For instance, the cybersecurity account vx-underground remarked that Windows essentially betrayed Stokes. In a follow-up post, they further discussed the severe implications of this tracking.
A Looming Debate over Privacy and Surveillance
Many professional users and security researchers previously remained unaware of the GDID identifier. They certainly did not realize Microsoft could persistently track specific Windows devices. The Peter Stokes case likely represents the first large-scale public revelation of this capability. It clearly demonstrates the immense power of Windows telemetry in real-world law enforcement scenarios. Undeniably, this represents a massive victory for cyber attribution technology. Yet, it also serves as a sobering mirror. It reminds us that digital convenience constantly shifts our privacy boundaries.
Hardware Tracking Beyond the Hard Drive
Notably, discussions within the security community reveal further concerns. A security researcher recently suggested that Microsoft also tracks users via TPM (Trusted Platform Module) chips. This implies that completely erasing a hard drive might be insufficient. Unless the user physically replaces the TPM chip, tracking could theoretically persist. Consequently, relying on a VPN or the Tor network would prove entirely futile. At the very least, Microsoft likely possesses the technical capability to achieve such tracking. However, no public documentation currently confirms this TPM-based surveillance method.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.