Windows Device Identifier Helped FBI Link Alleged Scattered Spider Hacker to Retail Breach
U.S. prosecutors say a persistent Windows device identifier helped investigators connect an alleged Scattered Spider member to a 2025 intrusion at a luxury jewelry retailer, according to a federal com...
U.S. prosecutors say a persistent Windows device identifier helped investigators connect an alleged Scattered Spider member to a 2025 intrusion at a luxury jewelry retailer, according to a federal complaint that was recently unsealed.
The case centers on 19-year-old Peter Stokes, a dual U.S.-Estonian citizen known online as “Bouquet,” who was extradited from Finland and appeared in court in Chicago on June 30. He faces charges including conspiracy, computer intrusion, and fraud. Prosecutors say he remains presumed innocent.
How the retailer was breached
According to the complaint, attackers called the retailer’s IT help desk between May 12 and May 15, 2025, using Google Voice numbers and posing as employees who had lost access to their accounts. By convincing staff to reset passwords and mobile devices tied to multifactor authentication, they gained control of three accounts, including two belonging to IT administrators.
Once inside, the attackers allegedly deployed ngrok and a second tunneling tool, Teleport, to move through the network and exfiltrate at least 77 gigabytes of data to Amazon cloud storage. Prosecutors say they also attempted to deploy ransomware, but the company’s security team stopped that effort and removed them from the network. The retailer later received a ransom demand for $8 million in cryptocurrency but did not pay.
The company has estimated its losses from disruption, response, and cleanup at roughly $2 million. Investigators say the intrusion highlights a common weakness: social engineering of support staff rather than exploitation of a software bug.
How investigators traced the device
Microsoft records reportedly tied the attack to a Global Device Identifier associated with one Windows installation. The complaint says that identifier was linked to the ngrok account creation and later appeared in activity connected to online accounts prosecutors attribute to Stokes. Investigators also matched IP addresses and travel records to locations including Tallinn, New York, and Thailand.
- The device visited the ngrok signup page at the same time the account was created.
- It later connected to the retailer’s website through the same proxy.
- Associated social media and messaging accounts were tied to the same locations and time periods.
Researchers and prosecutors continue to debate whether Scattered Spider should be viewed as one organization or a loose network of small cells. Either way, the complaint adds to a growing list of arrests tied to the group’s shared playbook of phishing, help desk abuse, and identity-based intrusion.
