US prosecutors linked an alleged member of the Scattered Spider group to the breach of a major jewelry retailer, using the persistent Windows device identifier as a key piece of evidence. According to a recently unsealed federal indictment, Microsoft logs made it possible to tie a specific device first to an account used to maintain persistence in the victim’s network in May 2025, and then to the personal accounts of 19-year-old Peter Stokes, a citizen of the United States and Estonia. The case illustrates both the capabilities of digital forensics for attributing attacks and the fundamental vulnerability of corporate support services to social engineering.
Attack timeline: from support call to extortion
According to the indictment, between 12 and 15 May 2025 the attackers called the retailer’s IT help desk from Google Voice numbers, posed as employees allegedly locked out of their accounts, and persuaded support staff to reset passwords and the mobile devices linked to multi-factor authentication.
Within a few hours, the attackers gained control over three accounts, two of which belonged to IT administrators. They then:
- Installed the tunneling tools ngrok and Teleport to enable covert access
- Moved data into Amazon cloud storage
- Exfiltrated at least 77 gigabytes of information
- Allegedly attempted to deploy ransomware, but the retailer’s security team blocked the deployment and pushed the attackers out of the network
Despite failing to encrypt systems, the attackers sent a ransom note — the subject line contained a characteristic typo: “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic]” — and later demanded 8 million dollars in cryptocurrency. The company refused to pay, but according to the indictment incurred about 2 million dollars in costs for remediation, investigation, and restoring operations.
Device identifier as a digital fingerprint
A key element of the investigation was a mechanism that Microsoft refers to as the Global Device Identifier — a persistent identifier tied to a specific Windows installation. As described in the indictment, this identifier is preserved across operating system updates but changes when Windows is reinstalled.
Microsoft’s logs showed that a device with the identifier g:6755467234350028 visited the ngrok registration page at 19:21 UTC on 12 May 2025 — in the very same minute that the ngrok account used in the attack was created. Roughly three hours later, the same device accessed the retailer’s website via the same proxy server.
Investigators then determined that this device repeatedly appeared on the same IP addresses and during the same time windows as the Snapchat, Apple and Facebook accounts that, according to the indictment, belong to Stokes. The geographic correlation spanned Tallinn (June 2024), New York (November 2024) and Thailand (February 2025), which was corroborated by State Department travel records.
The indictment paints a portrait of an operator who hid the attack — behind VPNs, proxy servers, tunneling tools and pseudonyms — but did not hide himself. According to investigators, the Snapchat account linked to Stokes (known under the alias “Bouquet”) showcased cash, watches and diamond chains bearing the inscription “HACK THE PLANET,” as well as photos from those same cities, including a shot of an Estonian police station with a mocking caption aimed at law enforcement.
Threat context: why one arrest doesn’t solve the problem
Stokes has been charged with conspiracy, computer intrusion and fraud. According to a press release from the Department of Justice, he was extradited from Finland and made his first court appearance in Chicago on June 30. Finnish police detained him at Helsinki Airport as he attempted to board a flight to Japan and seized two hard drives with a capacity of 2 terabytes each. Stokes is presumed innocent until proven guilty.
Prosecutors describe Scattered Spider as a single group behind more than 100 intrusions and over 100 million dollars in extortion. However, research by Group-IB offers a different model: analysts assess that Scattered Spider is not a unified organization but a loose collective of small, independent cells, usually no more than five people, connected by shared methods, tools, and communication channels rather than centralized leadership. Group-IB compares this phenomenon to the Anonymous movement and explicitly notes that the arrest of individual cells “will not stop the threat itself.”
This decentralized structure explains why the group’s activity continues despite a series of prosecutions in different jurisdictions. Each arrest removes a specific operator, but the overall set of tactics, techniques and procedures remains available through shared chat channels and communities.
Practical recommendations
This incident underscores that the attack vector was not a software vulnerability but a process flaw — social engineering via the support desk. Organizations should focus on the following measures:
- Identity verification for credential resets: implement mandatory call-backs to phone numbers already recorded in the system, approval from the direct manager, or video verification — especially for privileged accounts
- Hardware-based multi-factor authentication: deploying FIDO2 keys neutralizes phishing attacks against MFA, but does not protect against situations where a help desk operator unlinks a device based on a phone call
- Monitoring tunneling tools: detect and block unauthorized use of ngrok, Teleport and similar tools within the corporate network
- Control over mass exfiltration: configure alerts for anomalous volumes of outbound traffic, especially to cloud storage destinations
- Privilege restriction: minimize the number of accounts with IT administrator rights and apply strengthened authentication procedures to them
The Stokes case shows that digital forensics can tie a specific operator to an attack even when VPNs and proxies are used — but for victim organizations, that is cold comfort. The key lesson of this incident is not in attribution technology but in the fact that a single phone call to the help desk opened access to administrative accounts and 77 gigabytes of data. As long as the password reset process does not require reliable identity verification, neither FIDO2 keys nor EDR solutions can compensate for this gap.