A Windows Global Device Identifier, a fixed serial number your PC generates the first time Windows is installed, is what let the FBI unmask an alleged Scattered Spider hacker who had hidden behind a VPN and a tunneling service. The detail surfaced this week in an unsealed superseding complaint out of the Northern District of Illinois against 19-year-old Peter Stokes, and it has ricocheted through the security community over the past few hours because of what it implies: Microsoft can tie one Windows machine to its browsing across third-party sites, and there is no consumer switch to turn that off. The VPN protected the network address. It did nothing for the device underneath it.

  • The GDID (Global Device Identifier) is generated during Windows setup, survives updates, and only changes if you completely wipe the drive and reinstall the OS. There is no published opt-out.
  • Stokes allegedly used a VPN proxy and the ngrok tunneling service to stay anonymous, but Microsoft telemetry placed his GDID on the ngrok signup page at the exact minute the account was created.
  • The FBI then correlated the GDID's IP history against accounts prosecutors say belong to Stokes: Apple, Snapchat, Facebook, and a Ubisoft game login, unraveling the anonymity entirely.
  • Stokes was arrested in Finland on April 10, 2026 boarding a flight to Japan, extradited to the US, and made his first Chicago court appearance on June 30. He remains in custody.
Why a VPN did not hide the Windows device A VPN rotates the visible IP address at the network layer, but the Windows GDID travels with the machine at the device layer and is logged by Microsoft telemetry unchanged, so the same PC is identifiable across every session. NETWORK LAYER · masked by the VPN Windows PCreal IPVPN + ngrokIP rotatesTarget sitesees proxy IP endpoint looks hidden DEVICE LAYER · the VPN cannot touch this Same Windows PCGDID 7f3a… fixedMicrosoft telemetrylogs the GDID GDID carried unchanged → The IP hid the network path; the device ID identified the machine anyway. genztech.blog
Fig 1 Anonymity tools operate at the network layer. The Windows GDID lives at the device layer, rides along with every session, and is logged by Microsoft telemetry, so rotating the IP address never rotated the identity.

What actually happened in the Stokes case?

Prosecutors say Stokes, who allegedly used the handles Bouquet, Spencer, and Jordan, was part of a May 2025 Scattered Spider intrusion into an unnamed luxury-jewelry retailer identified in filings only as Company F. The crew placed Google Voice calls to the retailer's help desk for social engineering, then stood up an ngrok tunnel to keep persistent access into the data center, exfiltrating at least 77 GB through Teleport.sh and Amazon S3 before a ransomware push was blocked and an $8 million extortion demand went unpaid. The retailer still absorbed roughly $2 million in disruption and cleanup. The investigative break was not the malware; it was the identity trail. Microsoft records tied the ngrok account, created May 12 at 19:21 UTC through a Tzulo-hosted VPN proxy in Mount Prospect, Illinois, to a specific GDID, and put that same device on the retailer's site through the same proxy. Agents then matched the GDID's IP history to Stokes's personal Apple, Snapchat, Facebook, and Ubisoft logins across Tallinn, New York, and Thailand, lining up with his State Department travel records and his own social posts from luxury hotels.

RelatedJanuscape: a 16-Year KVM Bug Escapes Guest to Host

What is the GDID, and why can you not turn it off?

The Global Device Identifier is a unique string Windows mints during initial installation. It is meant for mundane plumbing: crash and diagnostic reporting, feature-usage analysis, and abuse detection such as spotting one machine that repeatedly claims free trials or licenses. The properties that make it useful for those jobs are exactly what make it powerful for investigators. It persists across Windows updates, it does not rotate when your IP changes, and there is no setting anywhere in Windows to disable or reset it. The only way to get a fresh GDID is to fully wipe the drive and reinstall the operating system, which means the identifier quietly survives almost everything a normal user does to their PC. Microsoft has only briefly acknowledged the identifier on a support page and has not commented on the case.

LayerWhat it hidesWhat the GDID exposes
VPNYour real IP address from the destination siteNothing, the device ID rides inside the tunnel
ngrok tunnelYour server's location behind a public URLNothing, Windows still reports the GDID
New account / aliasYour name from a given serviceLinks the alias to the same machine as your real accounts
Full Windows reinstallResets the GDID to a new valueOnly a clean wipe breaks the trail, at great cost

How did the GDID trail actually get built?

This is the part most coverage skips, and it is what alarmed researchers. The complaint does not describe a single lucky log. It describes a correlation graph. Once investigators had a court order and a target GDID, Microsoft could apparently associate that device identifier with visits to third-party services and the timestamps of those visits, which starts to look like activity tracking without needing browser cookies at all. The FBI then treated the GDID as a join key: every IP the device touched became a lead, and every account that logged in from those same IPs at those same times became a candidate link. The luxury-hotel geolocations, the game login, the social accounts, and the travel records all snapped together around one Windows installation. Security researcher Matthew Hickey summarized the reaction bluntly, calling Windows surveillance software, while Costin Raiu warned the capability is very likely not unique to Microsoft and may run deeper on hardware-tied identifiers elsewhere.

  1. Mar 2023Company H breach. Alleged Scattered Spider intrusion into an online-communication platform.
  2. May 2025Company F jewelry-retailer breach. Help-desk social engineering, ngrok persistence, 77 GB exfiltrated, $8M demand unpaid.
  3. Apr 10 2026Arrested in Finland. Detained boarding a flight to Japan, carrying two 2 TB hard drives.
  4. Jun 30 2026First US court appearance. Extradited to Chicago on a six-count superseding complaint; held in custody.
  5. Jul 2026GDID method goes public. Unsealed filing reveals the device-ID trail; privacy debate erupts.

Why does this matter for ordinary Windows users?

Because the same mechanism that caught an alleged extortionist is running on your machine too, with no transparency around it. There is no published Microsoft policy detailing when GDID data is shared with law enforcement, no consumer opt-out, and no transparency report that counts these requests. For the accused in this case, that is the system working: a $100-million-plus criminal group is exactly who device forensics should catch. But a persistent, un-resettable identifier that can be joined to your third-party browsing is a general-purpose capability, and general-purpose capabilities do not stay pointed only at criminals. The practical lesson for anyone who actually needs anonymity is narrow and harsh: your VPN, your throwaway accounts, and your tunnels all protect the network layer, and none of them protect the endpoint. Genuine separation means a different operating system and a machine that never touches your real identity.

RelatedSimpleHelp Auth-Bypass Flaw Threatens MSPs at CVSS 10

What to watch · 2026
  • Does Microsoft respond? Whether the pressure forces a documented GDID policy, a transparency count, or, unlikely, an opt-out. Silence is the current default.
  • Is Apple next? Researchers suspect hardware-tied identifiers elsewhere are as strong or stronger. Expect scrutiny of macOS and iOS device IDs.
  • Legal challenge. Whether Stokes's defense contests the GDID correlation as evidence sets an early precedent for device-ID forensics.
  • Copycat forensics. Whether other agencies now routinely request GDID histories the way they request IP logs today.

Our take

This case is a genuinely important privacy story wearing a cybercrime headline. Catching an alleged member of a group tied to more than 100 intrusions is a good outcome, and endpoint forensics beating a VPN is a fair result when the target is an $8 million extortion attempt. The uncomfortable part is everything the filing reveals in passing: a Windows identifier you cannot see, cannot reset without nuking your PC, and cannot opt out of, which Microsoft can apparently correlate to your activity on other companies' sites. That is not a bug in the anonymity tools; it is a design of the platform, and it applies to every Windows machine, not just the ones running ngrok tunnels. The right response is not panic but transparency: Microsoft should document what the GDID is, when it is shared, and how often. Until it does, the honest summary is the one the researchers reached, that anonymity infrastructure protects the network and never the machine, and most people have no idea their PC carries a name.

Primary sources

Original analysis by GenZTech. Reporting informed by Tom's Hardware.