The big picture: People have grumbled about Windows telemetry for years, to the point that an entire cottage industry of tools that clean up the OS now exists just to strip the tracking bits out. While there are privacy concerns with the feature, in this particular case, it led to federal agents dropping a hacker into a Chicago courtroom.
That hacker is Peter Stokes, a 19-year-old who holds both American and Estonian citizenship. Finnish police grabbed him on April 10 as he tried to board a flight to Japan out of Helsinki. He was recently extradited to the United States, where six counts covering conspiracy, computer intrusion, and fraud were waiting for him.
Those counts come out of his alleged time with Scattered Spider, a crew the authorities connect to a string of network breaches now past the 100 mark. The group has been so active that its members once floated the idea of retiring from ransomware, though researchers doubted it was anything more than a feint. The Justice Department puts the group's ransom total somewhere north of $100 million.
– vx-underground (@vxunderground) July 4, 2026
The main accusation traces back to a May 2025 hit on a luxury jewelry seller. In that case, the crew allegedly called the company's IT helpdesk over Google Voice while posing as employees, then talked support into resetting login details. That handed them three accounts, two of which carried admin privileges. From there, it was simple enough to swipe data and demand $8 million in crypto. The seller never paid, though the cleanup and downtime still cost it roughly $2 million.
The thread that unraveled him was a Windows fingerprint called a GDID, or Global Device Identifier. Every Windows install gets one, and it quietly records device-specific telemetry. It's the same thing that can revoke your license when you swap a major part in your PC. Stokes tried to stay hidden by routing his machine through a VPN, which he then used to open an account on ngrok, a tunneling service that masks where traffic really comes from. None of that hid his GDID.
Microsoft handed that identifier to investigators after a court order, leaning on ngrok's timestamped logs to pin it down. From there, agents matched the device's IP trail across Tallinn, New York, and Thailand to login times on his Snapchat, Apple, and Facebook accounts. It also didn't help that Stokes kept posting Snapchat shots of himself lounging in fancy hotels.
The airport stop sealed it – especially since he was carrying two hard drives full of evidence when police stopped him. The thing is, his identity had actually been known since 2024. But since he was a minor drifting between Estonia and the UAE back then, investigators simply watched and waited. Now they have him.