Skip to content
feed: live
>_ 0dayNews
threat intel
Analysis

Windows Device ID trail led FBI to Scattered Spider suspect

A newly unsealed federal complaint says a Microsoft-recorded device ID tied the account behind a Scattered Spider intrusion to 19-year-old Peter Stokes.

Windows Device ID trail led FBI to Scattered Spider suspect
Photo: Dick Culbert from Gibsons, B.C., Canada / Wikimedia Commons · CC BY 2.0
Dave "Kilobaud" Ferris · Published · 5 min read

Every so often a court filing lands that reads less like a legal document and more like a footnote to the attacker’s own memoir, and this week the U.S. Attorney’s Office in the Northern District of California produced one of those. The Hacker News reported on Monday that prosecutors have tied an alleged member of the Scattered Spider crew to a May 2025 intrusion at a luxury jewelry retailer by way of a persistent Windows device identifier that Microsoft’s own telemetry had been quietly recording the entire time.

The defendant is Peter Stokes, 19, and the mechanism, as the complaint describes it, is the sort of thing that gets a footnote in a Windows internals talk and then never much thought about again. Microsoft assigns each Windows installation a stable device identifier that outlives ordinary logout, ordinary user switching, and — this is the load-bearing part — a good deal of the routine cleanup an intruder tends to do after finishing a job. That identifier was captured against the intrusion account the attackers used to maintain access during the retailer breach. It was subsequently captured, over months, against a set of personal accounts prosecutors say belong to Stokes. Same device, same fingerprint, one side wearing gloves and the other not.

What the filing actually says

The complaint is a probable-cause document, not a conviction, and worth reading as such — the government’s case, as it stood the day the judge unsealed it. What it lays out, publicly, is a chain that starts with Microsoft records on the retailer intrusion account, walks that device identifier forward through time to accounts on which Stokes appears to have signed in as himself, and offers the whole assembly as the basis for the arrest.

The tradecraft failure here is not exotic. The attackers used a live Windows box to sit inside the target network for as long as they needed, then apparently used the same box, or an image that inherited the same identifier, for their off-hours life. Microsoft was recording the identifier both times. Microsoft, when asked by a federal grand jury, produced the records both times. The rest is arithmetic.

A number of details in the filing are not yet public, and speculating past what the complaint says is not useful. The specific identifier, the exact provenance chain, and whatever else prosecutors are holding for trial will surface when the case moves. Until then the shape of it — a single persistent identifier bridging the criminal work and the personal accounts — is what matters.

Why this one is not novel, and why that is the point

Scattered Spider has never particularly hidden. The group’s public reputation is built on English-speaking social engineering — help-desk pretexting, SIM-swap-adjacent takeovers, the sort of native-fluency phone work that used to be uncommon in Russian-speaking eCrime and that made the crew unusually effective against U.S. retail, hospitality, and casino targets. Their operational security has, from the beginning, been a mixed picture: strong at the moment of the intrusion, weak at the perimeter of the attacker’s own life. The FBI’s affidavits in the earlier Scattered Spider arrests have leaned heavily on the same class of evidence — reused accounts, reused devices, reused SIMs — because that class of evidence keeps being there to lean on.

The persistent-identifier problem for attackers is old. Modern operating systems, modern browsers, modern advertising SDKs, and modern platform vendors all generate identifiers whose purpose is precisely to survive the kind of cleanup a normal user might attempt: reinstalling the OS, clearing cookies, switching accounts. The identifiers exist so that Microsoft or Google or Meta can keep a coherent view of the device across sessions, and so that the ad industry can, too. What is convenient for a product team is convenient for a federal prosecutor working with a grand-jury subpoena. This is not a bug in the system. It is the system.

It is also, worth noting, the same mistake, different decade. The FBI’s early bust of Kevin Poulsen ran through pay-phone records that Poulsen assumed were transient and that Pacific Bell kept. The Silk Road case ran through a StackOverflow account under Ross Ulbricht’s real name. The Anom sting ran through a piece of hardware whose supply chain was quietly owned by the FBI from the day of manufacture. In every one of these, the attacker’s mental model was that the record did not exist, or would not survive, or could not be correlated. The system had a different mental model. The system’s mental model won.

What operators should take from it — carefully

This is not an OPSEC how-to, and the site is not going to become one. There is a version of a writeup like this that walks through which identifiers Windows keeps, how long, where, and how to scrub them — that would cross the line from analysis into instructional material for the wrong reader, and Scattered Spider does not need our help. What is worth taking, at the level of general observation, is narrower.

The persistent identifiers a modern OS produces exist. They are collected. They are producible under subpoena. Any threat model that treats the endpoint as a stateless disposable object — reformat, resell, walk away — has not been accurate for a long time, and the courts have started to reflect that. For defenders, the practical read is that Microsoft-side telemetry has continued to be useful evidence in exactly the kinds of prolonged, hands-on intrusions where the attacker’s own operational footprint is largest. That is a good outcome, in the specific narrow sense of the word.

For the broader question about what an ecosystem of stable per-device identifiers means for civil liberties, for journalists working under state surveillance, for the categories of people who are not Scattered Spider members, that is a different piece and it has been written by better people than us. Both things are true at the same time. The identifiers that catch the crew also catch everyone else.

Stokes has not been convicted of anything. The complaint has been unsealed and the case is proceeding, and the standard cautions apply: probable cause is not proof, and the details in the filing are one side’s argument. What has already been established, whatever the outcome of the case, is that the trail existed, that it survived, and that it was there for the government to pull when it decided to. Attackers who assume otherwise are working from an old map.

Found this useful? Share it.