Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Telemetry Fingers Scattered Spider Suspect in US Crackdown

Law enforcement setting with blurred computer screen in foreground.

The Scattered Spider group is said to have obtained over $100 million in ransom payments, according to the court filing that helped put a suspect behind bars.

Scattered Spider's scale and alleged campaign

U.S. authorities describe Scattered Spider as a prolific criminal group that “targeted numerous companies in the US” by compromising employee accounts to access corporate networks. The Justice Department's complaint says the group accessed more than 100 corporate networks and exfiltrated or encrypted data that was then ransomed for payment; the complaint and related filings allege the group obtained in excess of $100 million in ransom payments.

Microsoft telemetry and the Global Device Identifier (GDID)

Microsoft records played a direct role in the complaint, arrest, and extradition of a suspect named in the filing, Peter Stokes. As FBI special agent Ali Sadiq put it in an affidavit accompanying the criminal complaint, "According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios."

The court filing notes that Microsoft made criminal referrals to the Department of Justice and that one such referral, dated October 2024, cited online service telemetry that company security researchers believed linked Stokes to other members of the group.

How investigators tied ngrok and Tzulo activity to a GDID and an Estonia IP

The affidavit describes a chain of logs and provider cooperation that connected online service use to a Windows installation. Members of Scattered Spider, the filing says, used a web tunneling tool called ngrok to bypass network barriers and a VPN service called Tzulo to maintain access to compromised servers. Investigators obtained IP-address records from ngrok and from the VPN provider, and then sought records from Microsoft that could be matched to those events.

In the words of the affidavit, "According to Microsoft records, on or about May 12, 2025, at 19:21 UTC – when, according to ngrok records, the ngrok account was created – the device with the GDID accessed, among other ngrok pages, 'https://dashboard.ngrok.com/signup,' the ngrok page to set up an ngrok account." Microsoft records, the filing says, also showed that the same Windows device accessed Tzulo servers assigned to the IP address identified by ngrok, and that the GDID was subsequently linked to an IP address in Estonia where Stokes resided.

The complaint, arrest, and extradition of Stokes relied in part on the GDID and other Microsoft telemetry records; the affidavit also notes that social media posts allegedly sent and received by Stokes are "unlikely to help his defense" in light of the other evidence described.

Windows internals: how the identifier moves inside the OS

The underlying mechanism for the GDID is described in developer documentation and a GitHub writeup cited in the filing. According to that developer description, the Microsoft Account service (wlidsvc) provisions a device via login.live.com and receives back a device PUID, which is then stored in the Windows registry. The Connected Devices Platform (the cdp.dll / CDPSvc) reads that value and registers it into the Device Directory Service (DDS) graph, and Delivery Optimization reports it as the documented UCDOStatus.GlobalDeviceId. The filing also notes that the broader infrastructure for the identifier dates to the release of Windows 10 in 2015, while public references to the identifier appear more frequently from about 2021 onward.

The filing situates the GDID alongside platform identifiers maintained by other operating systems: Apple maintains a hardware UUID and a DSID tied to iCloud, and Linux supports a machine-id.

What this means for technologists, affected enterprises, and the general public

  • Technologists and security teams: Device-level telemetry such as a GDID can become an evidentiary link when combined with logs from tunneling services and VPN providers; engineers will watch how those correlations are documented in legal filings and how providers respond to lawful demands.
  • Affected enterprises and procurement leaders: The complaint underscores that attackers frequently use tooling such as ngrok and VPNs to maintain footholds; procurement and incident-response planning may treat the interaction of cloud, tunneling, and OS-level identifiers as part of post-compromise investigations.
  • End users and the public: Platform-level identifiers exist across major operating systems, and the filing notes that "when presented with a lawful demand for information, most service providers will cooperate and provide whatever information they store."

The record in the complaint ties a technical chain—ngrok signup activity, VPN server assignments, Microsoft GDID records, and an Estonia IP address—to an individual defendant and shows that vendor referrals and platform telemetry were central elements of the case. The filings make plain that device-level identifiers, long part of OS telemetry, can play a decisive role when law enforcement and providers align logs and records.

Source: The Register — "Windows is watching: Anti-piracy tool fingers Scattered Spider suspect"