"IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic]," prosecutors say the attackers wrote in a ransom email after the intrusion.
How the help‑desk ploy opened the retailer's network
Between May 12 and 15, 2025, prosecutors say the intrusion began not with a software flaw but with a phone call. Attackers used Google Voice numbers, posed as locked‑out employees, and persuaded help‑desk staff to reset employee passwords and the mobile devices tied to multifactor authentication. Within hours they controlled three accounts, including two IT administrator accounts, installed ngrok and a second tunneling tool called Teleport, moved data to Amazon cloud storage, and exfiltrated at least 77 gigabytes.
The intruders appear to have tried to deploy ransomware, but the retailer's security team blocked that effort and evicted them from the network. The attackers nevertheless sent a ransom demand and later sought $8 million in cryptocurrency; the company did not pay. The breach still cost the retailer about $2 million in disruption, investigation, and cleanup, according to the complaint.
The practical fixes in the complaint are procedural: verify identity before any reset via a callback to a number already on file, require manager sign‑offs for privileged accounts, or use video checks. The filing also notes that phishing‑resistant MFA such as FIDO2 keys can blunt many of the group's techniques — but only if help desks refuse to override authentication on a simple phone call.
The device identifier that tied an operator to the attack
Investigators traced the operation back to the machine that created the ngrok account. Microsoft records provided to the FBI identify the device by a Global Device Identifier: g:6755467234350028. Microsoft described that identifier in the complaint as a persistent value tied to a single Windows installation — one that survives operating‑system updates but changes when Windows is reinstalled.
According to those records, the device visited the ngrok signup page at 19:21 UTC on May 12, 2025 — the same minute the ngrok account was created — and reached the retailer's website through the same proxy roughly three hours later. Prosecutors say that chain of records linked the machine that opened the tunneling account to online accounts they attribute to an individual.
IP trails, social posts and seized drives that completed the chain
Microsoft's device identifier kept surfacing on the same IP addresses and at the same times as Snapchat, Apple, and Facebook accounts prosecutors attribute to 19‑year‑old Peter Stokes, a dual U.S.‑Estonian citizen known online as "Bouquet." The complaint shows the device appearing on an IP address in Tallinn, Estonia, in June 2024; in New York in November 2024; and in Thailand in February 2025 — patterns prosecutors say were matched by State Department travel records.
Prosecutors also describe social media posts they say came from the Snapchat account: images flaunting cash, watches and diamond chains emblazoned "HACK THE PLANET," travel photos placing the operator in the cities tied to the IP trail, and even pictures of an Estonian police station accompanied by taunts about law‑enforcement awareness. When Finnish police stopped the accused at Helsinki airport as he tried to board a flight to Japan, they seized two 2‑terabyte hard drives. The complaint says the case was assembled from device records, account links, IP trails and the material seized from the arrest.
Scattered Spider's loose structure and the limits of a single arrest
Prosecutors describe Scattered Spider as a group responsible for more than 100 intrusions and over $100 million in ransoms. But outside research cited in the filing draws a different picture: Group‑IB characterizes Scattered Spider as a loose collective of small, independent cells — most no bigger than five people — tied together by shared tricks, tools and chat rooms rather than a single boss. Group‑IB compares the pattern to the Anonymous movement and warns that arresting some cells "will not stop the threat itself."
The complaint places the Stokes case in a wider run of prosecutions that follow the same shape: individuals arrested one at a time while the shared playbook remains available. Recent examples noted in the filing include Scottish national Tyler Buchanan, who pleaded guilty in April 2026 to fraud and identity theft tied to the group; Noah Urban, known as "Sosa," who in 2025 was sentenced to 10 years for a SIM‑swapping scheme linked to the group; and two alleged members in the U.K. who recently admitted to a Transport for London hack estimated to have cost about £29 million.
What this means for technologists, affected enterprises, and law enforcement
- Technologists and security teams: The complaint underscores that device telemetry can provide a persistent linkage even when operators use VPNs and tunneling tools. The Microsoft Global Device Identifier and correlated IP timelines were central to investigators' chain.
- Affected enterprises and procurement leaders: The financial impact — an $8 million ransom demand, a decision not to pay, and roughly $2 million in direct costs — highlights that the most immediate remediation is process hardening at help desks: require callbacks to numbers on file, manager approval for sensitive resets, or video verification for privileged accounts.
- Law enforcement and investigators: The seizure of two 2‑terabyte drives at arrest, coupled with device records and account links, demonstrates the operational value of physical evidence; the complaint also signals that single arrests can build cases but may not dismantle a distributed collective of small cells.
The newly unsealed complaint shows how a single persistent Windows identifier — g:6755467234350028 — and a trove of digital and physical evidence can tie an operator to a high‑profile intrusion. But the filing and outside analysis together leave a clear tension: technical traces can identify individuals, yet the loose, cell‑based structure prosecutors and researchers describe suggests arrests may be one tool among many needed to blunt a resilient, decentralized threat.




