🔒 A 19-year-old cybercriminal was caught despite using a VPN across multiple countries - because Windows has a tracking number built into every install that a VPN can't hide.
Peter Stokes, arrested in Finland in April and extradited to the US last week, is tied to Scattered Spider, the hacking group behind the 2023 MGM and Caesars casino breaches. The group is linked to 100+ intrusions and over $100 million in extortion.
The FBI didn't crack his VPN. Microsoft handed over his Global Device ID (GDID), a unique identifier baked into every Windows installation at setup. It doesn't change when you update, switch networks, or use a VPN. The only way to reset it is a full OS reinstall.
Investigators matched Stokes's GDID across IP addresses in Estonia, New York, and Thailand, correlating with login times on his Snapchat, Apple, and Facebook accounts. The same device that breached a luxury jewelry retailer and demanded $8 million in ransom also logged into Snapchat and a video game from his real network.
So while VPNs mask your IP address, they were never designed to hide device-level identifiers embedded in your operating system. The tracking can live one layer deeper than the one most people defend.
Read more:
https://www.itnews.com.au/news/microsoft-device-telemetry-key-to-unmasking-alleged-scattered-spider-hacker-627148
https://www.databreachtoday.com/scattered-spider-suspect-extradited-from-finland-to-us-a-32140