Home Risk & Resilience Court Filing Details How Windows Device ID Helped FBI Link Alleged Scattered Spider Member To Cyber Intrusion

Court Filing Details How Windows Device ID Helped FBI Link Alleged Scattered Spider Member To Cyber Intrusion

0
Court Filing Details How Windows Device ID Helped FBI Link Alleged Scattered Spider Member To Cyber Intrusion

A newly unsealed federal court complaint has revealed how a persistent Windows device identifier played a central role in helping FBI connect an alleged Scattered Spider member to a cyber intrusion targeting a luxury jewelry retailer in May 2025. According to U.S. prosecutors, Microsoft records linked the Windows Global Device Identifier to an account used by the attackers to maintain access during the intrusion before connecting the same device to online accounts allegedly belonging to 19 year old Peter Stokes. Stokes, a dual U.S. and Estonian citizen known online as Bouquet, has been charged with conspiracy, computer intrusion, and fraud after being extradited from Finland. He appeared before a federal court in Chicago on June 30 and is presumed innocent unless proven guilty during legal proceedings.

Court documents describe an attack that took place between May 12 and May 15, 2025, in which the attackers relied on social engineering rather than exploiting a software vulnerability. Investigators said the group contacted the retailer’s IT help desk through Google Voice numbers while impersonating employees who claimed to be locked out of their accounts. Help desk personnel reportedly reset employee passwords and the mobile devices associated with multifactor authentication, enabling the attackers to gain control of three user accounts, including two belonging to IT administrators. After obtaining privileged access, the intruders installed ngrok and another tunneling tool called Teleport, transferred at least 77 gigabytes of data to Amazon cloud storage, and attempted to deploy ransomware across the environment. The retailer’s security team successfully prevented the ransomware from executing and removed the attackers from the network before encryption could occur. Despite the failed ransomware deployment, the attackers reportedly sent a ransom demand titled “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY” and later demanded 8 million dollars in cryptocurrency. The organization refused to pay, although the incident reportedly resulted in approximately 2 million dollars in costs related to business disruption, forensic investigations, and recovery efforts. Prosecutors stated that the incident highlights how identity verification failures at IT help desks can create opportunities for sophisticated cyber intrusions, emphasizing the importance of procedures such as callback verification, management approval for privileged account resets, video identity confirmation, and phishing resistant multifactor authentication technologies such as FIDO2 security keys.

Investigators traced the activity back to a Windows device used during the creation of the ngrok account involved in the intrusion. According to Microsoft, the computer carried Global Device Identifier g:6755467234350028, which functions as a persistent identifier assigned to a Windows installation and remains unchanged through operating system updates until Windows is reinstalled. Microsoft records showed that the device accessed the ngrok registration page at 19:21 UTC on May 12, 2025, matching the exact time the account was created, before connecting to the retailer’s website through the same proxy approximately three hours later. Prosecutors further stated that the same device appeared repeatedly alongside online accounts allegedly associated with Stokes across matching IP addresses and timeframes. The activity included connections originating from Tallinn, Estonia during June 2024, New York during November 2024, and Thailand during February 2025, with travel records obtained from the U.S. State Department reportedly supporting those movements. Court filings also reference social media posts that allegedly displayed large amounts of cash, luxury watches, diamond jewelry bearing the phrase “HACK THE PLANET,” photographs from the same travel destinations, and messages mocking law enforcement.

The filing also provides additional context regarding the wider Scattered Spider ecosystem. Recent research from Group IB describes Scattered Spider as a loosely connected collective made up of multiple independent groups rather than a centrally managed organization. According to the report, many of these smaller teams consist of fewer than five members who share techniques, tools, and online communication channels instead of operating under a single command structure. Prosecutors estimate that Scattered Spider has been associated with more than 100 cyber intrusions and ransom demands exceeding 100 million dollars, while Group IB believes the decentralized nature of the network allows its activities to continue despite individual prosecutions. The case involving Stokes follows several other legal actions connected to the same cybercrime community, including Tyler Buchanan, who pleaded guilty in the United States during April 2026 to fraud and identity theft related charges, and Noah Urban, known online as Sosa, who received a 10 year prison sentence in 2025 for a SIM swapping scheme linked to Scattered Spider. Court documents also note that Finnish authorities seized two 2 terabyte hard drives from Stokes while he was attempting to board a flight to Japan from Helsinki Airport. Investigators believe the digital evidence stored on those devices, including infrastructure, operational tools, and communication records, may provide further insight into additional members and cyber operations associated with the broader network.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.