LAST UPDATED Loading...

Court Documents Reveal How Microsoft Helped Identify Alleged Scattered Spider Member

Court filings reveal how Microsoft telemetry, cloud records, and social media evidence were combined to identify an alleged Scattered Spider member.
Stylized illustration of a glowing white spider with blue and purple glitch effects on a dark digital background, representing the Scattered Spider cybercrime group. The text “SCATTERED SPIDER” appears beneath the graphic.

Newly unsealed court documents provide an unusually detailed look at how investigators allegedly identified and tracked an alleged member of the Scattered Spider cybercrime group, revealing that Microsoft telemetry played a significant role alongside social media records, cloud service logs, travel history, and other digital evidence.

The filing centers on Peter Stokes, a 19-year-old dual U.S.-Estonian citizen who was extradited to the United States after being arrested in Finland in April while attempting to board a flight to Japan. Prosecutors allege Stokes was a member of Scattered Spider, also tracked as Octo Tempest, UNC3944, and 0ktapus, and participated in multiple computer intrusions, data theft, and extortion schemes, according to a CyberScoop report.

Microsoft GDID linked device activity to the investigation

One of the most notable details in the unsealed FBI affidavit involves Microsoft’s Global Device Identifier (GDID), a unique identifier assigned to a Windows installation. According to investigators, an ngrok account allegedly used during one of the intrusions was created through a VPN, but Microsoft was able to associate that activity with a specific GDID after receiving a court order.

Investigators then compared the GDID against Microsoft’s historical telemetry and identified additional IP addresses allegedly associated with the same Windows installation. Those addresses were subsequently correlated with login records obtained from Snapchat, Apple, Facebook, travel records, and other providers, building what prosecutors describe as a consistent pattern linking the device to Stokes.

Telemetry was only one piece of the case

Although discussion online has largely focused on Microsoft’s telemetry, the affidavit makes clear that investigators relied on multiple independent sources of evidence.

The filing states that Microsoft had previously submitted criminal referrals identifying Stokes as a suspected Scattered Spider member in 2024. Prosecutors also cite provider records, cloud service logs, seized infrastructure, communications, and digital evidence recovered during the broader investigation.

The affidavit further alleges that Stokes participated in a May 2025 intrusion targeting a luxury jewelry retailer after attackers socially engineered the company’s IT help desk into resetting employee credentials. Prosecutors claim the attackers exfiltrated approximately 100 GB of data before demanding an $8 million cryptocurrency ransom. The company ultimately refused to pay but reportedly sustained roughly $2 million in operational losses.

What is a Windows GDID?

A Global Device Identifier, or GDID, is a unique identifier associated with a Windows installation that Microsoft uses for device-level telemetry and other platform services. According to the affidavit, investigators used the identifier to associate activity from the same Windows installation across multiple IP addresses and time periods.

The court documents do not suggest that Microsoft independently monitored the alleged criminal activity in real time. Rather, the records indicate Microsoft provided historical telemetry and device information after legal process, allowing investigators to correlate it with evidence obtained from other providers.

Scattered Spider remains under intense scrutiny

Federal authorities allege Scattered Spider has been responsible for more than 100 network intrusions and over $100 million in ransom payments since emerging in 2022. The group’s operations frequently combine social engineering, credential theft, SIM swapping, cloud compromise, and data extortion against large enterprises.

The newly released affidavit offers one of the clearest public examples of how modern cybercrime investigations increasingly combine provider records, device telemetry, cloud logs, and traditional investigative techniques to attribute activity that attackers believed had been obscured through VPNs and anonymization services.

BreachNews will continue following the case as additional court filings become public.

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map