Persistent Device ID Leads FBI to Alleged Scattered Spider Hacker
A persistent Windows device ID, coupled with meticulous digital forensics, has led U.S. prosecutors to link an alleged member of the **Scattered Spider** hacking group to a high-profile intrusion at a luxury jewelry retailer. This unsealed federal complaint highlights the enduring digital footprints left by even sophisticated attackers.

U.S. prosecutors have traced a **Windows** device ID directly to online accounts allegedly belonging to 19-year-old **Peter Stokes**, a dual U.S.-Estonian citizen known online as "**Bouquet**." **Stokes** was recently extradited from Finland and now faces charges of conspiracy, computer intrusion, and fraud, though he is presumed innocent pending trial.
### The Anatomy of the Retailer Breach
The May 2025 intrusion began with **Scattered Spider** operatives contacting the luxury retailer's IT help desk from **Google Voice** numbers. Posing as locked-out employees, they socially engineered staff into resetting employee passwords and multi-factor authentication (MFA) devices.
Within hours, the attackers gained control of three accounts, including two belonging to IT administrators. They deployed tunneling tools like **ngrok** and **Teleport**, exfiltrating at least 77 gigabytes of data to **Amazon** cloud storage. While they attempted to deploy ransomware, the retailer's security team successfully blocked the payload and evicted them from the network.
Despite the eviction, the attackers sent a ransom demand for $8 million in cryptocurrency. The company did not pay, but the incident still incurred an estimated $2 million in disruption, investigation, and cleanup costs.
### The Fatal Digital Footprint
Investigators leveraged a crucial piece of evidence: a **Global Device Identifier (GDI)**. **Microsoft** informed the FBI that the device used to open the **ngrok** account carried GDI g:6755467234350028. This identifier is described by **Microsoft** as a persistent ID tied to a single **Windows** installation, surviving OS updates but changing upon reinstallation.

**Microsoft** records show this device visited the **ngrok** signup page at the precise minute the account was created, later accessing the retailer's website through the same proxy. Further investigation linked the device's IP addresses and activity patterns to **Stokes'** personal **Snapchat**, **Apple**, and **Facebook** accounts.
These links correlated with his travel records provided by the State Department, placing him in Tallinn, Estonia, New York, and Thailand at relevant times. Prosecutors allege **Stokes' Snapchat** flaunted luxury items and even taunted authorities, posting photos of an Estonian police station.

### Addressing the Help Desk Vulnerability
This incident underscores that the weakest link was not a software flaw, but a process vulnerability within the help desk. Effective mitigation requires robust identity verification for any password or MFA reset requests, such as callbacks to pre-registered numbers, manager approvals, or video verification for privileged accounts. While phishing-resistant MFA like **FIDO2** keys can thwart some attack vectors, they are ineffective if social engineering can bypass the initial authentication layers.
### The Enduring Threat of Scattered Spider
While the arrest of **Stokes** marks a significant win for law enforcement, the broader threat posed by **Scattered Spider** remains potent. Research by **Group-IB** suggests **Scattered Spider** is not a monolithic group but a decentralized collective of small, independent cells. These cells share tactics, tools, and communication channels rather than operating under a central command structure, making it resilient to individual arrests.
This diffuse structure explains why previous prosecutions of alleged **Scattered Spider** members, such as **Tyler Buchanan** (guilty of fraud and identity theft) and **Noah Urban** (sentenced to 10 years for a SIM-swapping scheme), have not significantly curtailed the group's overall activity.
When **Stokes** was apprehended at Helsinki airport, authorities seized two 2-terabyte hard drives. In a network as decentralized as **Scattered Spider**, the intelligence gleaned from such seized devices β including tools, infrastructure details, and contacts β could prove more impactful than a single conviction in disrupting future operations.