Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker

July 12, 2026

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants

July 12, 2026

What Changes When Your Software Supply Chain Includes AI Writing Your Code?

July 12, 2026
Facebook X (Twitter) Instagram
Sunday, July 12
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker
News

Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker

Team-CWDBy Team-CWDJuly 12, 2026No Comments5 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


U.S. prosecutors linked an alleged Scattered Spider hacker to a break-in at a luxury jewelry retailer using a persistent Windows device ID, according to a newly unsealed federal complaint.

Microsoft records tied that ID first to the account the attackers used to keep access during the May 2025 intrusion, then to online accounts prosecutors say belong to 19-year-old Peter Stokes.

Stokes is charged with conspiracy, computer intrusion, and fraud. A dual U.S.-Estonian citizen known online as “Bouquet,” he was extradited from Finland and made his first court appearance in Chicago on June 30, as THN reported. He is presumed innocent pending trial.

How the break-in worked

Between May 12 and 15, 2025, attackers phoned the retailer’s IT help desk from Google Voice numbers, posed as locked-out employees, and got staff to reset employees’ passwords and the mobile devices tied to their multifactor authentication.

Within a few hours, they controlled three accounts, two belonging to IT administrators. They installed ngrok and a second tunneling tool called Teleport, moved data to Amazon cloud storage, and pulled out at least 77 gigabytes.

They appear to have tried to deploy ransomware, but the retailer’s security team blocked it and evicted them from the network. The attackers still sent a ransom email, subject line “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic],” and later asked for $8 million in cryptocurrency. The company did not pay. The breach still cost it about $2 million in disruption, investigation, and cleanup.

The way in was the help desk, not a software flaw. The fix is a process, not patching: verify identity before any reset with a callback to a number already on file, manager sign-off, or video checks for privileged accounts. Phishing-resistant MFA like FIDO2 keys blunts the group’s other methods, but does nothing if a help desk will reset an account on a phone call.

The ID that led investigators to Stokes

Investigators worked back to Stokes from the device that opened the ngrok account. Microsoft told the FBI it carried Global Device Identifier g:6755467234350028, which Microsoft describes as a persistent identifier tied to a single Windows installation, one that survives operating-system updates but changes when Windows is reinstalled.

Microsoft records show that the device visited the ngrok signup page at 19:21 UTC on May 12, 2025, the same minute the ngrok account was created, and reached the retailer’s website through the same proxy about three hours later.

The device also kept surfacing on the same IP addresses, at the same times, as Snapchat, Apple, and Facebook accounts prosecutors attribute to Stokes: an address in his home city of Tallinn, Estonia, in June 2024, then New York in November and Thailand in February 2025, matched by State Department travel records.

The complaint shows an operator who hid the attack, behind a VPN proxy, tunneling tools, and aliases, but not himself. Prosecutors say his Snapchat flaunted cash, watches, and diamond chains reading “HACK THE PLANET,” along with the very trips that placed him in those cities. He even posted photos of an Estonian police station and taunted that the feds had no idea what they had let get away.

One arrest, and why it may not slow the threat

Investigators can now tie a single operator to the machine that set up an attack. But one arrest barely touches the wider threat.

In separate, recent research, Group-IB argues Scattered Spider is not really one group at all. It is a loose collective of small, independent cells, most no bigger than five people, tied together by shared tricks, tools, and chat rooms rather than a shared boss. Group-IB compares it to the Anonymous movement and says arresting some of these cells “will not stop the threat itself.”

Prosecutors describe Scattered Spider as one group behind more than 100 intrusions and over $100 million in ransoms. Group-IB says the label fits a scene better than a gang, and argues that loose structure is why the activity survives each arrest.

Part of a longer run of cases

Other recent Scattered Spider prosecutions follow the same shape: individuals arrested one at a time, the shared playbook intact. In April 2026, Scottish national Tyler Buchanan pleaded guilty in the U.S. to fraud and identity theft tied to the group.

In 2025, Noah Urban, known as “Sosa,” was sentenced to 10 years over a SIM-swapping scheme linked to Scattered Spider. And in the U.K., two alleged members recently admitted to the Transport for London hack, which cost an estimated £29 million.

When Finnish police stopped Stokes at Helsinki airport as he tried to board a flight to Japan, they seized two 2-terabyte hard drives. This whole case was built from that kind of material: device records, account links, and IP trails. In a network this diffuse, the drives could matter more than the conviction, if they hold the tools, infrastructure, or contacts that reach the next member.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleWriter AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants
Team-CWD
  • Website

Related Posts

News

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants

July 12, 2026
News

What Changes When Your Software Supply Chain Includes AI Writing Your Code?

July 12, 2026
News

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities

July 12, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

What is it, and how do I get it off my device?

September 11, 2025

Mobile app permissions (still) matter more than you may think

February 27, 2026

How it preys on personal data – and how to stay safe

October 23, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.