Windows GDID Helps Identify Scattered Spider Suspect
The FBI used Windows' GDID (Global Device Identifier) to identify a suspect from the Scattered Spider group, spotlighting the role of OS telemetry data in criminal investigations.
The U.S. Department of Justice has indicted Peter Stokes, a suspect from the Scattered Spider hacking group, with the FBI revealing that Microsoft Windows’ Global Device Identifier (GDID) played a critical role as key evidence in the investigation. According to a report by The Register, the group allegedly infiltrated over 100 corporate networks across the U.S. and demanded ransoms exceeding $100 million. The arrest and extradition of Stokes were significantly aided by telemetry records, including the Windows GDID.
How GDID Works and Its History
In a sworn affidavit by FBI Special Agent Ali Sadiq, Microsoft explained that “GDID is a persistent, device-level identifier within the Windows ecosystem, designed to uniquely identify an installation of the Windows OS on either physical devices (like mobile phones or laptops) or virtual machines across specific Microsoft services and scenarios.”
The roots of GDID can be traced back to the release of Windows 10 in 2015, although public documentation started explicitly mentioning GDID only from 2021 onwards. This identifier is believed to be used not only for tracking crash dumps and updates but also for identifying devices across Microsoft’s online services.
GDID can persist even after hardware changes or OS reinstalls. Once linked to a specific Windows installation, it continues to transmit the same identifier unless the user explicitly modifies the settings. While this system is intended to enhance user experience and bolster security measures, it has also raised concerns about the potential for long-term traceability from a privacy perspective.
Details of the Case and Evidence Trail
Court documents reveal that members of Scattered Spider employed tools like the web tunneling service ngrok and the VPN provider Tzulo to bypass network barriers. Investigators first obtained IP address records from ngrok and the VPN provider, then issued a query to Microsoft. This inquiry led to the discovery that, at the time the ngrok account was created, a Windows device with a specific GDID had accessed the ngrok signup page.
The affidavit explains: “According to Microsoft’s records, at 19:21 UTC on May 12, 2025, a device bearing that GDID accessed ‘https://dashboard.ngrok.com/signup,’ which corresponds to the time when the account was created according to ngrok’s logs.” Furthermore, Microsoft’s GDID records showed that the same Windows device also accessed the Tzulo server assigned to the IP address identified by ngrok.
Ultimately, this GDID was linked to an IP address associated with Stokes’ residence in Estonia. By October 2024, Microsoft security researchers had already submitted a criminal complaint to the Department of Justice, citing online service telemetry that connected Stokes to other members of the group.
The Pros and Cons of Telemetry Monitoring
This case underscores the effectiveness of OS-level telemetry in criminal investigations while simultaneously reigniting privacy concerns. Although Microsoft designed GDID for specific purposes such as service improvement and security, it has the potential to function as a tool for long-term tracking of users’ online activities. What’s particularly noteworthy is that even attempts to anonymize activities using VPNs or tunneling tools can be circumvented through native OS device identifiers.
Microsoft officially states that GDID is used to “enhance specific services and for security purposes.” However, the criteria for sharing data with law enforcement have not been fully disclosed. The revelations from this court case highlight the need for Microsoft to adopt more transparent data management policies.
Impact on the Industry and Future Outlook
Scattered Spider, which has been increasingly active since 2023, is notorious for ransomware attacks targeting major corporations such as MGM Resorts and Caesars Entertainment. This indictment demonstrates how collaboration between law enforcement agencies and platform providers can strengthen efforts to combat cybercrime.
However, privacy advocacy groups are likely to amplify their calls for stricter regulations on telemetry data collected by OS vendors. Existing frameworks like the European Union’s GDPR and U.S. state-level privacy laws require explicit consent for collecting and sharing personally identifiable information. Whether device-level identifiers like GDID fall under the definition of “personal data” remains a question for courts to decide.
Security researchers have also raised concerns about the potential misuse of GDID. If attackers gain access to GDID, they could theoretically track the activities of specific Windows devices over extended periods. While Microsoft has not disclosed the specifics of how GDIDs are generated or stored, the lack of transparency itself is seen by some as a security risk.
Editorial Opinion
In the short term, this case is likely to increase pressure on OS vendors, including Microsoft, to enhance transparency regarding telemetry data practices. A key focus will be whether European regulators classify GDID as personal data under GDPR. The revelation of cooperation between the Department of Justice and Microsoft is also expected to spark broader discussions about the relationship between tech companies and law enforcement.
From a long-term perspective, there is an undeniable risk that OS-level device identifiers could become entrenched as tools for “perpetual surveillance.” If user anonymity efforts, such as using VPNs or Tor, can be undermined by OS telemetry, these privacy measures may lose their effectiveness. Balancing the evolution of privacy technologies with the legitimate needs of law enforcement will be a critical issue over the next one to three years.
The editorial team believes it is crucial to scrutinize how much control users have over OS telemetry functions and whether legal safeguards are sufficient. The purposes, retention periods, and conditions for third-party sharing of GDID data should be clearly disclosed. Without such frameworks, concerns about a surveillance society will only intensify.
References
- The Register: “Windows is watching: Anti-piracy tool fingers Scattered Spider suspect” — Published on July 7, 2026
Frequently Asked Questions
- What is Windows GDID?
- GDID is a persistent, device-level identifier embedded in the Windows OS that uniquely identifies a specific Windows installation. It is used by Microsoft to track devices across its services for purposes like improving security and crash analysis.
- Can users disable GDID?
- Currently, there is no official setting to completely disable GDID. However, users can indirectly limit its impact by adjusting privacy settings or using offline accounts.
- How was GDID used in this case to aid criminal investigations?
- The FBI matched IP address logs from ngrok and Tzulo VPN with time-stamped GDID access logs provided by Microsoft, identifying the Windows device used by Stokes. This allowed authorities to trace his activities despite his use of anonymity tools.
Comments