Windows 11 identifier code used to track Scattered Spider perp after Microsoft shared info with FBI — 19-year-old US-Estonian hacker arrested over alleged ties

Windows 11 identifier code used to track Scattered Spider perp after Microsoft shared info with FBI — 19-year-old US-Estonian hacker arrested over alleged ties

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .

Scattered Spider is one of the biggest cybercrime syndicates on the planet, having extorted over $100 million in ransom payments, according to the DOJ. The group also operates under the names Octo Tempest , UNC3944 , and Oktapus , and is renowned for its social engineering tactics. As such, the main criminal complaint against Stokes stems from a May 2025 attack on a luxury jewelry dealer based in the United States.

The attackers apparently called the company's IT helpdesk using Google Voice, posing as employees. They were able to convince the help desk into resetting their credentials , which allowed them to infiltrate three accounts, two of which had admin privileges. From there, the group, allegedly including Stokes, stole important data and held the jeweler at ransom, demanding an $8 million payment in crypto .

The company ultimately regained access to their infrastructure and avoided paying the ransom, but the operational disruption still caused a purported $2 million in losses. This served as the spark that led to Stokes' eventual arrest in Helsinki, as the prosecutors slowly followed the paper and digital trail laid by the attackers. Microsoft played a key role in the process by providing GDID data to the FBI to help them apprehend the alleged criminal.

GDID stands for Global Device Identifier; it's a unique identifier assigned to every Windows install that tracks device-specific telemetry. It's the reason why sometimes changing a major component in your PC can revoke your Windows license. Anyhow, the court documents from the case reveal that Stokes used Windows, from which investigators were able to link his physical hardware to specific internet activity and locations.

Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company ruined their life

Microsoft's bug-hunting nemesis extends vendetta with more zero-day attacks

Key considerations

  • Investor positioning can change fast
  • Volatility remains possible near catalysts
  • Macro rates and liquidity can dominate flows

Reference reading

More on this site

Informational only. No financial advice. Do your own research.

Leave a Comment