Peter Stokes, the 19-year-old American-Estonian extradited from Finland to face Scattered Spider hacking charges in the United States, is allegedly tied to a US$8 million ($11.5 million) ransom demand largely through a Microsoft global device identifier (GDID), a court affidavit suggests.
The US Federal Bureau of Investigation (FBI) alleged in its complaint that "criminal referrals from Microsoft" were among the evidence presented for Stokes' alleged offending.
"Cyber security researchers at Microsoft, through the course of their job, have access to data,
such as computer machine IDs, IP addresses, and malware samples associated with
sophisticated cybergroups," the FBI said in its affidavit.
Stokes allegedly hid his device behind a virtual private network (VPN) server which he then used to open an account on the ngrok secure tunnelling service.
But doing so did not mask the unique GDID of the Windows installation he used.
Microsoft identified that GDID for investigators after a court order, based on ngrok's time-stamped access records.
Such GDIDs are typically used for diagnostic and crash reporting, feature-usage analysis, and detecting abuse patterns such as one machine repeatedly claiming free trials or licences.
Security teams also use this kind of device-level correlation defensively, since a login from an unfamiliar device paired with a known identifier, or the reverse, a familiar device suddenly signing into an unfamiliar account, is a useful signal for spotting compromised credentials.
Investigators then examined the GDID's wider IP address history, finding other addresses in Tallinn, New York and Thailand that matched login times on Stokes's Snapchat, Apple and Facebook accounts.
While Microsoft's GDID does the heaviest lifting in the FBI's case against Stokes, social network Snapchat's account access logs were also important.
Stokes had posted pictures on Snapchat of himself while travelling overseas and staying at luxury hotels, displaying a conspicious amount of weath.
Nearly every IP address match in the FBI's affidavit allegedly paired the GDID with a Snapchat login, within minutes of each other.
Apple's records also corroborated two such matches, one in New York and another in Thailand, while Facebook contributed a further overlap in Tallinn dating back to June 2024.
Stokes faces six counts of offending, and was arrested on April 10 by Finnish police while attempting to board a flight to Japan.
Four of the charges relate to the alleged US$8 million ransom demand against a luxury goods retailer.
Two further, broader charges allege conspiracy tied to his time in Scattered Spider, drawing on chat logs, a 2024 Microsoft referral and records recovered from a separate seized server.
His case is part of the FBI's Operation Riptide that aims to counter the loosely organised Scattered Spider hacking group linked to over 100 attacks involving large-scale data breaches and more than US$100 million in extortion.

iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
Integrate 2026
Security Exhibition & Conference



