TempMail Ninja
//

Windows GDID: How Microsoft Telemetry Exposed the Scattered Spider Hacker

6 min read
TempMail Ninja
Windows GDID: How Microsoft Telemetry Exposed the Scattered Spider Hacker

On April 10, 2026, at Helsinki Airport in Finland, nineteen-year-old Peter Stokes was stopped by authorities as he tried to board a flight to Tokyo, Japan. To his peers in the notorious cybercrime syndicate “Scattered Spider” (also known as Octo Tempest, UNC3944, and 0ktapus), Stokes was a legendary social engineer who operated under the online handles “Bouquet,” “Spencer,” and “Jordan”. But his elaborate escape plan was ultimately thwarted not by traditional physical surveillance, but by an undocumented, deeply integrated telemetry identifier running silently inside his operating system: the Windows GDID (Global Device Identifier).

The unsealing of his criminal complaint in Chicago on July 1, 2026, sent shockwaves through the global cybersecurity community. The court documents from the FBI’s Operation Riptide did not just detail Stokes’ alleged crimes; they exposed a highly secretive, persistent device-fingerprinting mechanism built into the Windows ecosystem. While Stokes had taken extreme measures to mask his physical location using virtual private networks (VPNs) and proxies, his local operating system was quietly reporting his every move directly to Microsoft, creating a digital trail that investigators used to destroy his anonymity.

Inside Operation Riptide: The Downfall of Peter “Bouquet” Stokes

Before his arrest, Peter Stokes flaunted a lavish, globetrotting lifestyle, even posing in social media photos wearing a custom, diamond-encrusted “HACK THE PLANET” necklace. Prosecutors allege that Stokes began his cybercrime career at just sixteen years old, eventually becoming a core member of Scattered Spider. This highly disruptive, English-speaking group has been linked to over 100 corporate network intrusions, collectively extorting more than $100 million in ransom payments.

The primary charges against Stokes stem from a May 2025 intrusion targeting a multi-billion-dollar luxury jewelry retailer, referred to in court documents as “Company F”. Rather than exploiting zero-day software vulnerabilities, Scattered Spider relied on highly persuasive social engineering tactics. The hackers called the retailer’s IT helpdesk using Google Voice, successfully posing as legitimate employees. Within two hours, they tricked the support staff into resetting multi-factor authentication (MFA) credentials, gaining access to high-privilege administrator accounts.

After exfiltrating 100 gigabytes of sensitive data, the group demanded an $8 million cryptocurrency ransom. Although the retailer successfully evicted the intruders and refused to pay, the breach caused widespread business disruption and incident response costs totaling over $2 million. This incident triggered an aggressive, coordinated investigation by the FBI, Microsoft’s Threat Intelligence team, and Finland’s National Bureau of Investigation. When Stokes was apprehended in Helsinki, Finnish authorities seized two 2-terabyte hard drives, marking a physical end to a highly sophisticated digital operation.

Unmasking the Windows GDID: The OS-Level Tracker You Cannot Escape

The technical crown jewel of the FBI’s criminal complaint is the revelation of the Windows GDID. According to Microsoft technical representatives cited in the affidavit, a Global Device Identifier is a persistent, globally unique identifier assigned to every unique installation of the Windows operating system. It operates silently in the background of both physical hardware (such as laptops and desktops) and virtual machines.

Unlike traditional tracking mechanisms, the Windows GDID features several highly persistent technical characteristics:

  • Immutability: The identifier does not change when a user clears browser cookies, rotates MAC addresses, alters hardware components, or uses a VPN. It remains strictly static unless the entire operating system is completely wiped and reinstalled.
  • Undocumented Nature: The GDID is a closely guarded Microsoft telemetry key. Prior to the court disclosures, it was only mentioned in a single, obscure Microsoft Developer Network (MSDN) document, leaving most security researchers and privacy advocates completely unaware of its tracking capabilities.
  • Kernel-Level Telemetry: Because the identifier is managed at the OS level, it functions independently of user-space privacy tools. It ties device-specific diagnostics directly to Microsoft’s cloud infrastructure.
  • Targeted Identification: In the criminal complaint, the FBI explicitly identified Stokes’ machine by its specific Windows GDID: g:6755467234350028.

The GDID is primary used by Microsoft for diagnostic and crash reporting, analyzing feature usage, and preventing licensing abuse (such as a single machine repeatedly claiming free trials). However, as the Stokes case proves, it also serves as one of the most powerful forensic tracking mechanisms in existence.

How Telemetry Bypassed Local OPSEC

To conduct his operations, Peter Stokes utilized a Virtual Private Network (VPN) and proxies to mask his real-time IP address. Under the protection of the VPN, Stokes accessed ngrok, a secure-tunneling developer utility used to expose local servers to the public internet.

However, Stokes made a fatal OPSEC assumption: he assumed his VPN protected his host’s identity. While the VPN successfully encrypted and masked his network traffic from his local internet service provider (ISP), it could not stop his Windows operating system from communicating with Microsoft’s telemetry servers. Because the OS-level telemetry service runs outside the scope of user-configured proxies, Windows continued to send system-health and telemetry packets to Microsoft.

The telemetry logged under GDID g:6755467234350028 was incredibly granular. Microsoft’s telemetry system quietly recorded:

  • Exact Activity Timestamps: Precise timestamps logging when the device visited the ngrok signup and dashboard pages, which investigators matched directly to ngrok‘s server access logs.
  • Actual IP Addresses: The physical IP addresses Stokes connected from, cataloging his real-time geographic movements even when he was actively using a VPN.
  • Recreational Activity Tracking: Precise timestamps of when Stokes played the online multiplayer sandbox video game Growtopia on his Windows device.
  • Location History Mapping: A comprehensive physical log of Stokes’ travels, showing internet activity originating from residential and hotel connections in Tallinn (Estonia), New York, and Thailand.

By providing these “criminal referrals” to the FBI, Microsoft enabled federal investigators to map the Windows GDID directly to Stokes’ real-world identity. The FBI subpoenaed access logs from consumer platforms, including Snapchat, Apple, and Facebook. By correlating the timestamps and physical IP addresses of Stokes’ personal social media logins with the real-time telemetry of GDID g:6755467234350028, investigators proved beyond a doubt that the person operating the hacker persona “Bouquet” was Peter Stokes.

Deep Dive: Azure Logging and the SmartScreen Loophole

The forensic mapping was further bolstered by enterprise-grade monitoring tools built into Windows, specifically Azure UCDOStatus (Unified Delivery Optimization Status) and Azure Monitor logging. These frameworks, designed to optimize update distribution and monitor system health across the cloud, continuously stream device metadata, connection speeds, and network parameters to Microsoft’s cloud databases.

Additionally, the role of Microsoft Edge and its built-in SmartScreen technology played a vital role in his tracking. Designed as a security mechanism to protect users from phishing and malware, SmartScreen works by sending the exact URLs a user visits back to Microsoft’s servers for real-time reputation checks. In practice, this mechanism effectively bypasses the end-to-end privacy promised by HTTPS from a tracking standpoint. Since the browser itself resolves and reports the fully qualified URI to Microsoft before loading the page, investigators obtained an unvarnished list of Stokes’ web browsing history—including visits to local hotel websites and development dashboards.

The Privacy Backlash and the New Reality of OPSEC

The unsealing of the Peter Stokes complaint has ignited an intense debate among privacy advocates, system administrators, and security practitioners. On forums like Reddit’s r/sysadmin and r/opsec, experts are pointing to the case as definitive proof that maintaining absolute anonymity on a modern, closed-source consumer operating system is virtually impossible.

While Microsoft’s telemetry is an invaluable defensive tool that allowed law enforcement to dismantle a devastating cybercrime group, it raises profound questions about the nature of consent and user control. The revelation that an undocumented, immutable identifier can silently link a user’s operating system, real-time IP history, web activity, and gaming habits challenges the traditional boundaries of personal privacy.

For the modern threat modeler, the downfall of “Bouquet” serves as a historic lesson. It demonstrates that OPSEC is only as strong as its weakest layer. If the underlying operating system functions as a kernel-level witness, constantly reporting telemetry back to its parent corporation, then proxies, VPNs, and encrypted browsers are merely cosmetic shields. As Stokes awaits trial in Chicago, his case stands as a stark reminder of the near-impossible task of hiding from a silent, built-in digital ledger.

TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.