News·4 min read

New Research Details How FBI Uncovered Alleged Scattered Spider Member

The extradition of an alleged Scattered Spider member from Finland to the United States has drawn attention far beyond the criminal charges themselves. Buried on page 8 of the indictment lies a detail

CS
CyberShield Team
2026-07-08
Share:
New Research Details How FBI Uncovered Alleged Scattered Spider Member

The extradition of an alleged Scattered Spider member from Finland to the United States has drawn attention far beyond the criminal charges themselves. Buried on page 8 of the indictment lies a detail that security researchers are calling the most revealing part of the entire case: Microsoft telemetry tied to a Global Device Identifier (GDID) […] The post New Research Details How FBI Uncovered Alleged Scattered Spider Member appeared first on Cyber Security News.

The extradition of an alleged Scattered Spider member from Finland to the United States has drawn attention far beyond the criminal charges themselves. Buried on page 8 of the indictment lies a detail that security researchers are calling the most revealing part of the entire case: Microsoft telemetry tied to a Global Device Identifier (GDID) helped the FBI connect anonymized online activity to a single Windows installation. FBI Uncovered Alleged Scattered Spider Member On July 1, 2026, the Department of Justice announced the extradition of Peter Stokes, a 19-year-old Estonian-US dual citizen known online as “Bouquet”. Stokes was apprehended at Helsinki Airport while attempting to board a flight to Japan. He faces charges of conspiracy, computer intrusion, and fraud tied to more than 100 network intrusions and over $100 million in ransom payments allegedly linked to Scattered Spider. As detailed in contemporary reporting on the initial U.S. extradition proceedings against Scattered Spider, most cybercriminal attributions hinge on classic OPSEC failures like reused infrastructure or leaked credentials. This case took a different route. DOJ press release announcing Peter Stokes’s extradition. (image source : Darkatlas) Court documents reveal that Microsoft provided telemetry associated with the suspect’s GDID (g:6755467234350028) directly to investigators. The legal indictment explicitly highlights how a Global Device ID was tied to a specific VPN proxy service IP address ending in .168 to track unmasked adversarial operations. Indictment text highlighting the GDID link. (image source : Darkatlas) The complete forensic timeline, reverse-engineered device identifiers, and full operational breakdowns are hosted directly on the DarkAtlas Threat Intelligence Archive. That telemetry linked the same device identifier to multiple clusters of unmasked activity: Tunneling Footprints: Active ngrok tunneling infrastructure used during system intrusions. Network Tracking: Public IP addresses spanned across distinct sessions. Temporal Corroboration: Micro-timestamps matching the exact periods of internet activity. Browser Indicators: Specific browsing activity, likely captured via Microsoft Edge diagnostic data. Even with VPNs and proxy infrastructure in play, the GDID gave investigators a stable, device-level thread connecting disparate activity back to one Windows installation. GDID stands for Global Device Identifier, a persistent Microsoft identifier tied to a Windows installation rather than physical hardware. It remains stable across Windows updates but changes if the OS is reinstalled. Comprehensive coverage from the technical community explores how this Windows device tracking telemetry exposed Stokes, clarifying that devices register with Microsoft’s legacy Passport.NET service during setup. This generates a unique credential set, suggesting GDID relates directly to legacy Passport Unique ID (PUID) system architectures like the PassportIdentity.HexPUID property. Microsoft documentation for the legacy HexPUID property. (image source : Darkatlas) Identifier TypeOperational IdentityVulnerability / Exposure SurfaceIP AddressNetwork location or active VPN endpointCan be masked using proxies or Tor routing infrastructure.Cookie TokenBrowser session identityEphemeral; cleared upon session reset or cache wipes.Hardware SerialPhysical component fingerprintRemains static to the motherboard or hardware chassis.GDIDWindows installation identityPersists across updates and routing hops; unique to OS lifecycle.Microsoft AccountUser identity across software servicesLinked directly to cloud authentication profiles. For threat intelligence teams, this case shows that rotating accounts, aliases, and infrastructure doesn’t erase continuity if the underlying OS installation persists. For forensics teams, it reinforces that value emerges from correlating endpoint telemetry, cloud records, and browser diagnostics together. For enterprises, it raises governance questions regarding what diagnostic data is enabled on managed endpoints, how Edge telemetry is configured, and whether logs are preserved long enough to support incident response. While researchers continue digging into where GDID is stored locally, the broader takeaway remains clear: attribution doesn’t always require a single mistake. It can come from telemetry that quietly persists across sessions, services, and infrastructure long after a VPN masks the obvious. The post New Research Details How FBI Uncovered Alleged Scattered Spider Member appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.