Windows GDID Became the Clue a VPN Couldn’t Hide
People have complained about Windows telemetry for years. Enough, in fact, that a whole cottage industry of tools now exists to strip tracking bits out of the OS. The privacy concerns are real. But in this case, one of Windows’ most disliked features helped federal agents put a suspected hacker in a Chicago courtroom.
The key detail was a Windows fingerprint called a GDID, short for Global Device Identifier. Every Windows install gets one, and it quietly records device-specific telemetry. It is also tied to the kind of hardware-level identification that can revoke a Windows license after a major PC part swap.
Peter Stokes, a 19-year-old with both American and Estonian citizenship, allegedly tried to stay hidden by running his machine through a VPN. He then used that setup to create an account on ngrok, a tunneling service that masks where traffic is really coming from.
The VPN did not hide the GDID.
How Investigators Connected the Device to Stokes
Microsoft provided the identifier to investigators after a court order. Investigators then used ngrok’s timestamped logs to narrow things down.
From there, agents matched the device’s IP trail across Tallinn, New York, and Thailand to login times on Stokes’ Snapchat, Apple, and Facebook accounts. That pattern gave investigators a way to connect the machine’s activity to accounts tied to him.
His social media activity did not help his case either. Stokes had been posting Snapchat images of himself relaxing in fancy hotels, which added another visible trail while investigators were watching his movements.
The Scattered Spider Allegations
The charges against Stokes are tied to his alleged time with Scattered Spider, a hacking crew authorities have connected to more than 100 network breaches.
The group has been active enough that its members once floated the idea of retiring from ransomware, though researchers were skeptical and believed it may have been a feint. The Justice Department places the group’s ransom total at more than $100 million.
Stokes now faces six counts covering conspiracy, computer intrusion, and fraud after being extradited to the United States.
The Luxury Jewelry Seller Attack
The main accusation goes back to a May 2025 breach involving a luxury jewelry seller.
In that case, the crew allegedly called the company’s IT helpdesk using Google Voice while pretending to be employees. They convinced support staff to reset login details, which gave them access to three accounts.
Two of those accounts had admin privileges.
Once inside, the attackers allegedly stole data and demanded $8 million in cryptocurrency. The seller did not pay the ransom, but the cleanup and downtime still cost about $2 million.
Why the VPN and ngrok Setup Failed
The setup was meant to make the real origin of the activity harder to see.
A VPN can route traffic through another location, and ngrok can help mask where traffic is really coming from. But the Windows GDID remained visible enough to become the thread investigators pulled.
That identifier, paired with timestamped logs and account login activity, gave agents a way to connect the device trail back to Stokes across several locations.
The basic problem was simple: hiding the network path did not hide the machine.
The Airport Stop in Helsinki
Finnish police arrested Stokes on April 10 while he was trying to board a flight to Japan from Helsinki.
That stop appears to have sealed the case in a much more physical way. When police stopped him, he was carrying two hard drives full of evidence.
Investigators had already known his identity since 2024. But at the time, he was a minor moving between Estonia and the UAE, so authorities watched and waited.
Now, after his extradition to the United States, the charges are waiting for him in court.

