Windows Device ID Leads FBI to Alleged Scattered Spider Hacker

In a recent legal development, U.S. prosecutors have linked a suspected member of the cybercriminal group Scattered Spider to a significant data breach at a luxury jewelry retailer. This connection was established through a persistent Windows device identifier, as detailed in a newly unsealed federal complaint.

The breach, which occurred between May 12 and 15, 2025, involved attackers impersonating employees to manipulate the retailer’s IT help desk. By posing as staff members locked out of their accounts, they convinced help desk personnel to reset passwords and mobile devices associated with multifactor authentication. This social engineering tactic granted them control over three accounts, including two belonging to IT administrators.

Once inside the system, the attackers installed tunneling tools such as ngrok and Teleport, facilitating the exfiltration of at least 77 gigabytes of data to Amazon cloud storage. Although they attempted to deploy ransomware, the retailer’s security team successfully thwarted this effort. Nevertheless, the attackers demanded an $8 million ransom via email, which the company refused to pay. The incident resulted in approximately $2 million in costs related to disruption, investigation, and remediation.

Investigators traced the breach back to a specific device that created the ngrok account used in the attack. Microsoft provided information about a Global Device Identifier (g:6755467234350028), a persistent identifier tied to a single Windows installation. This identifier remains constant through operating system updates but changes upon reinstallation of Windows.

Records indicated that this device accessed the ngrok signup page at 19:21 UTC on May 12, 2025—the exact time the ngrok account was created—and connected to the retailer’s website through the same proxy approximately three hours later. Further analysis revealed that the device frequently appeared on the same IP addresses as online accounts attributed to 19-year-old Peter Stokes, a dual U.S.-Estonian citizen known online as “Bouquet.” These accounts included Snapchat, Apple, and Facebook profiles.

Stokes was extradited from Finland and made his initial court appearance in Chicago on June 30. He faces charges of conspiracy, computer intrusion, and fraud. It is important to note that he is presumed innocent until proven guilty.

This case underscores the critical importance of robust identity verification processes within IT support operations. The attackers exploited the help desk’s procedures rather than technical vulnerabilities, highlighting the need for stringent verification methods before resetting credentials. Implementing measures such as callbacks to pre-registered numbers, managerial approvals, or video verification for privileged accounts can significantly enhance security. Additionally, adopting phishing-resistant multifactor authentication methods, like FIDO2 keys, can mitigate similar social engineering attacks.

While the arrest of an individual linked to this breach is a positive development, it represents only a small step in addressing the broader threat posed by groups like Scattered Spider. Recent research suggests that Scattered Spider operates as a loose collective of small, independent groups, indicating that the apprehension of one member may not substantially diminish the overall risk. Organizations must remain vigilant and continuously adapt their security strategies to counteract evolving cyber threats.