One of Windows' most hated features just helped catch a 19-year-old hacker

zohaibahd

Posts: 978   +19
Staff
The big picture: People have grumbled about Windows telemetry for years, to the point that an entire cottage industry of tools that clean up the OS now exists just to strip the tracking bits out. While there are privacy concerns with the feature, in this particular case, it led to federal agents dropping a hacker into a Chicago courtroom.

That hacker is Peter Stokes, a 19-year-old who holds both American and Estonian citizenship. Finnish police grabbed him on April 10 as he tried to board a flight to Japan out of Helsinki. He was recently extradited to the United States, where six counts covering conspiracy, computer intrusion, and fraud were waiting for him.

Those counts come out of his alleged time with Scattered Spider, a crew the authorities connect to a string of network breaches now past the 100 mark. The group has been so active that its members once floated the idea of retiring from ransomware, though researchers doubted it was anything more than a feint. The Justice Department puts the group's ransom total somewhere north of $100 million.

The main accusation traces back to a May 2025 hit on a luxury jewelry seller. In that case, the crew allegedly called the company's IT helpdesk over Google Voice while posing as employees, then talked support into resetting login details. That handed them three accounts, two of which carried admin privileges. From there, it was simple enough to swipe data and demand $8 million in crypto. The seller never paid, though the cleanup and downtime still cost it roughly $2 million.

The thread that unraveled him was a Windows fingerprint called a GDID, or Global Device Identifier. Every Windows install gets one, and it quietly records device-specific telemetry. It's the same thing that can revoke your license when you swap a major part in your PC. Stokes tried to stay hidden by routing his machine through a VPN, which he then used to open an account on ngrok, a tunneling service that masks where traffic really comes from. None of that hid his GDID.

Microsoft handed that identifier to investigators after a court order, leaning on ngrok's timestamped logs to pin it down. From there, agents matched the device's IP trail across Tallinn, New York, and Thailand to login times on his Snapchat, Apple, and Facebook accounts. It also didn't help that Stokes kept posting Snapchat shots of himself lounging in fancy hotels.

The airport stop sealed it – especially since he was carrying two hard drives full of evidence when police stopped him. The thing is, his identity had actually been known since 2024. But since he was a minor drifting between Estonia and the UAE back then, investigators simply watched and waited. Now they have him.

Permalink to story:

 
This is the kind of privacy violation I'm ok with: it took multiple court approved search warrants, and serious allocation of investigation effort, to go after a high impact criminal. This is the kind of reasonable trade off that should exist in our legal system: a measured way to pursue the few who deserve it, that does not turn into full collection & storage of all citizens always.

Anyway, what I really wanted to post about was congratulating the jewelry seller for not paying the ransom and for fighting back by involving the FBI. If more responsible organizations did this, there'd be a lot less revenue funding these ransomware groups, and a lot more opportunities to catch them.
 
No matter how smart or how much of a genius criminals are, they will always leave behind a vulnerable or a weak point to be found, sometimes there's more than one. Once authorities are able to figure that out, they can exploit it. In this case, this hackers weak point was Windows. Even if he used some form of Linux, I'm sure there were other trial points he left behind for authorities to sniff out, whether or not they are able to find them will determine if these guys get away with it. It really is impossible to cover every trail you leave behind though.
 
No matter how smart or how much of a genius criminals are, they will always leave behind a vulnerable or a weak point to be found, sometimes there's more than one. Once authorities are able to figure that out, they can exploit it. In this case, this hackers weak point was Windows. Even if he used some form of Linux, I'm sure there were other trial points he left behind for authorities to sniff out, whether or not they are able to find them will determine if these guys get away with it. It really is impossible to cover every trail you leave behind though.
The vast majority of of these people are completely anonymous, security organisations cheer when they catch one whilst hundreds slip by.
 
Back