Windows telemetry cited in case tied to alleged Scattered Spider member

A US Justice Department complaint against Peter Stokes, who is accused of involvement with the Scattered Spider cybercrime group, highlights how operating-system and service telemetry can help investi...

A US Justice Department complaint against Peter Stokes, who is accused of involvement with the Scattered Spider cybercrime group, highlights how operating-system and service telemetry can help investigators connect online activity to a person.

According to the filing, federal investigators and Microsoft records were used alongside data from networking services to tie Stokes to accounts and infrastructure associated with the group. Authorities say Scattered Spider compromised employee credentials at numerous US companies, gained access to more than 100 corporate networks, and stole or encrypted data in extortion schemes that brought in substantial ransom payments.

The affidavit says Microsoft provided information tied to a Windows Global Device Identifier, or GDID, a persistent device-level identifier used across some Microsoft services. Investigators say records showed a Windows device with that identifier accessing ngrok, a tunneling service used to create secure pathways around network controls, at the same time an ngrok account was created. The same device was also said to have reached servers associated with the VPN provider Tzulo.

Authorities then matched those service records with IP address information and say the identifier was later connected to an address in Estonia, where Stokes reportedly lived.

What the filing says about the tools involved

  • ngrok was allegedly used to maintain access to compromised systems while avoiding normal network restrictions.
  • Tzulo VPN records were cited as additional telemetry in the investigation.
  • Microsoft is said to have made criminal referrals and supplied records that helped associate the activity with Stokes.

The complaint also references social media content that investigators believe is relevant to Scattered Spider communications. Those details, if substantiated in court, could strengthen the government’s case.

The filing adds to a broader reminder that modern devices and cloud services leave behind durable traces. Microsoft’s GDID is not widely discussed in public documentation, but similar device or account identifiers exist across major platforms. Apple uses hardware and account-linked IDs, while Linux systems commonly rely on a machine ID. In practice, investigators can often combine such records with provider logs when legal process compels disclosure.