Newly unsealed court documents provide an unusually detailed look at how investigators allegedly identified and tracked an alleged member of the Scattered Spider cybercrime group, revealing that Microsoft telemetry played a significant role alongside social media records, cloud service logs, travel history, and other digital evidence.
The filing centers on Peter Stokes, a 19-year-old dual U.S.-Estonian citizen who was extradited to the United States after being arrested in Finland in April while attempting to board a flight to Japan. Prosecutors allege Stokes was a member of Scattered Spider, also tracked as Octo Tempest, UNC3944, and 0ktapus, and participated in multiple computer intrusions, data theft, and extortion schemes, according to a CyberScoop report.
Microsoft GDID linked device activity to the investigation
One of the most notable details in the unsealed FBI affidavit involves Microsoft’s Global Device Identifier (GDID), a unique identifier assigned to a Windows installation. According to investigators, an ngrok account allegedly used during one of the intrusions was created through a VPN, but Microsoft was able to associate that activity with a specific GDID after receiving a court order.
Investigators then compared the GDID against Microsoft’s historical telemetry and identified additional IP addresses allegedly associated with the same Windows installation. Those addresses were subsequently correlated with login records obtained from Snapchat, Apple, Facebook, travel records, and other providers, building what prosecutors describe as a consistent pattern linking the device to Stokes.
Telemetry was only one piece of the case
Although discussion online has largely focused on Microsoft’s telemetry, the affidavit makes clear that investigators relied on multiple independent sources of evidence.
The filing states that Microsoft had previously submitted criminal referrals identifying Stokes as a suspected Scattered Spider member in 2024. Prosecutors also cite provider records, cloud service logs, seized infrastructure, communications, and digital evidence recovered during the broader investigation.
The affidavit further alleges that Stokes participated in a May 2025 intrusion targeting a luxury jewelry retailer after attackers socially engineered the company’s IT help desk into resetting employee credentials. Prosecutors claim the attackers exfiltrated approximately 100 GB of data before demanding an $8 million cryptocurrency ransom. The company ultimately refused to pay but reportedly sustained roughly $2 million in operational losses.
What is a Windows GDID?
A Global Device Identifier, or GDID, is a unique identifier associated with a Windows installation that Microsoft uses for device-level telemetry and other platform services. According to the affidavit, investigators used the identifier to associate activity from the same Windows installation across multiple IP addresses and time periods.
The court documents do not suggest that Microsoft independently monitored the alleged criminal activity in real time. Rather, the records indicate Microsoft provided historical telemetry and device information after legal process, allowing investigators to correlate it with evidence obtained from other providers.
Scattered Spider remains under intense scrutiny
Federal authorities allege Scattered Spider has been responsible for more than 100 network intrusions and over $100 million in ransom payments since emerging in 2022. The group’s operations frequently combine social engineering, credential theft, SIM swapping, cloud compromise, and data extortion against large enterprises.
The newly released affidavit offers one of the clearest public examples of how modern cybercrime investigations increasingly combine provider records, device telemetry, cloud logs, and traditional investigative techniques to attribute activity that attackers believed had been obscured through VPNs and anonymization services.
BreachNews will continue following the case as additional court filings become public.











