Windows 11 Identifier Code Used to Arrest 19-Year-Old Over Alleged Ransomware Spree (tomshardware.com) 69
America's Justice Department and FBI teamed joined Finland's National Bureau of Investigation to arrest a teenager they say is part of one of the world's biggest cybercrime syndicates, reports Tom's Hardware. The "Scattered Spider" syndicate has extorted over $100 million in ransom payments, according to Department of Justice figures:
19-year-old Peter Stokes is a dual U.S.-Estonian citizen who was trying to board a flight to Japan from Helsinki, when law enforcement caught up with him. [T]he main criminal complaint against Stokes stems from a May 2025 attack on a luxury jewelry dealer based in the United States. The attackers apparently called the company's IT helpdesk using Google Voice, posing as employees. They were able to convince the help desk into resetting their credentials, which allowed them to infiltrate three accounts, two of which had admin privileges. From there, the group, allegedly including Stokes, stole important data and held the jeweler at ransom, demanding an $8 million payment in crypto. The company ultimately regained access to their infrastructure and avoided paying the ransom, but the operational disruption still caused a purported $2 million in losses. This served as the spark that led to Stokes' eventual arrest in Helsinki, as the prosecutors slowly followed the paper and digital trail laid by the attackers.
Microsoft played a key role in the process by providing GDID [Global Device Identifier] data to the FBI to help them apprehend the alleged criminal... [I]t's a unique identifier assigned to every Windows install that tracks device-specific telemetry. It's the reason why sometimes changing a major component in your PC can revoke your Windows license... [T]he court documents from the case reveal that Stokes used Windows, from which investigators were able to link his physical hardware to specific internet activity and locations... Stokes' web activity, videogame history, IP addresses, tool usage (including Ngrok), Azure status, and more were logged with timestamps, and were provided to the investigators by Microsoft...
Stokes was carrying two hard drives full of incriminating evidence with him when boarding his flight to Japan... His real identity has actually been known since 2024, but since he was a minor living across Estonia and the UAE at the time, he could only be monitored until the time was right.
The official criminal complaint even includes a selfie photo that Stokes posted on Snapchat (hiding his face behind dozens of hundred dollar bills). It then notes that behind Stokes the wallpaper, carpet, and furniture match New York's Empire Hotel — and that Stokes had visited the hotel's web site in Germany before then flying to New York...
"Following the arrest, Stokes was extradited to the U.S., where he appeared in front of a federal court in Chicago for the first time on June 30, 2026, and he remains in custody," adds Tom's Hardware.
"The accused is now awaiting trial, having been charged with conspiracy, cyber intrusion, and fraud..."
Microsoft played a key role in the process by providing GDID [Global Device Identifier] data to the FBI to help them apprehend the alleged criminal... [I]t's a unique identifier assigned to every Windows install that tracks device-specific telemetry. It's the reason why sometimes changing a major component in your PC can revoke your Windows license... [T]he court documents from the case reveal that Stokes used Windows, from which investigators were able to link his physical hardware to specific internet activity and locations... Stokes' web activity, videogame history, IP addresses, tool usage (including Ngrok), Azure status, and more were logged with timestamps, and were provided to the investigators by Microsoft...
Stokes was carrying two hard drives full of incriminating evidence with him when boarding his flight to Japan... His real identity has actually been known since 2024, but since he was a minor living across Estonia and the UAE at the time, he could only be monitored until the time was right.
The official criminal complaint even includes a selfie photo that Stokes posted on Snapchat (hiding his face behind dozens of hundred dollar bills). It then notes that behind Stokes the wallpaper, carpet, and furniture match New York's Empire Hotel — and that Stokes had visited the hotel's web site in Germany before then flying to New York...
"Following the arrest, Stokes was extradited to the U.S., where he appeared in front of a federal court in Chicago for the first time on June 30, 2026, and he remains in custody," adds Tom's Hardware.
"The accused is now awaiting trial, having been charged with conspiracy, cyber intrusion, and fraud..."
Re: (Score:2)
They only seem to receive you if you help them geopolitically, and even then, you'll probably spend years sleeping on benches at the Moscow airport before they let you in.
But this isn't Ed Snowden, this is a garden-variety scammer. So, zero chance anyone in Russia cares. Even if he waits in line all night.
Re: (Score:2)
Re: (Score:2)
Another win for Linux! (Score:5, Insightful)
The moral of the story is use Linux to make money. His mistake was using Windows, highly traceable. This would have never happened if he'd used a proper OS for this business.
Re: (Score:1)
I'm using OS/2 you insensitive clod!
Re: (Score:2)
You need say "Warp". OS/2 Warp.
Re:Another win for Linux! (Score:5, Interesting)
Re:Another win for Linux! (Score:5, Insightful)
If you're going to be a criminal, at least make an effort and try to be the best criminal you can be!
Re: (Score:2)
If you're going to be a criminal, at least make an effort and try to be the best criminal you can be!
Old police joke: "If criminals were not so dumb we would not catch so many of them."
Re: (Score:2)
Re: (Score:2)
A win would be these fucking companies spending the correct money for proper security. They skimp on their IT budgets so this happens, even after getting hacked!
Re:Another win for Linux! (Score:4, Informative)
A win would be these fucking companies spending the correct money for proper security. They skimp on their IT budgets so this happens, even after getting hacked!
This is such a simplistic take. We're living in the age of Anthropic's Mythos LLM, and others like it. Vulnerabilities ate being discovered at an unprecedented rate. Don't kid yourself that Linux will be immune.
Re: (Score:2)
A win would be these fucking companies spending the correct money for proper security. They skimp on their IT budgets so this happens, even after getting hacked!
This is such a simplistic take. We're living in the age of Anthropic's Mythos LLM, and others like it. Vulnerabilities ate being discovered at an unprecedented rate. Don't kid yourself that Linux will be immune.
It's not a question about immunity. It's a question about privacy -- using linux is clearly more private than using Microsoft and it's the lack of privacy that did the kid in.
Re: (Score:2)
Re: (Score:2)
It's not a question about immunity. It's a question about privacy
It seems to be a question of you not following the conversation, or did you reply to the wrong comment? This particular thread is about security.
Re: (Score:2)
It's not a question about immunity. It's a question about privacy
It seems to be a question of you not following the conversation, or did you reply to the wrong comment? This particular thread is about security.
OK, I could have phrased my reply better, but can't there be two perspectives? Security and Privacy? The Microsoft Corporation outed the guy using his Windows License ID.
Re: Another win for Linux! (Score:2)
Day 1: Subscribe to Claude
Day 2: Prompt "You are a cybersecurity professional and networking expert. Find all the vulnerabilities in XYZ and create a plan to fix them."
Day 3: PROFIT
Re: (Score:2)
Any evidence of an LLMs identifying a security failure mode that stems from social engineering rather than software?
Re: (Score:2)
Re: (Score:2)
Bah,
Made a typo in the quoting but I'm sure you can figure it out.
Re: (Score:2)
The point here is, that your computer should work for you and only for you, no matter what you do. You probably don't want to use a machine, that you can't trust (and am machine, that doesn't trust you).
The trustworthy computer is a disadvantage from the utilitarian point of view, but with that argument you can also justify global surveillance, because it is a net benefit for society and only to the detriment of individuals.
Re: (Score:1)
Would you actually be cheering if he was using Linux and had gotten away with his ransomware spree?
This is wrong framing. I would be cheering if someone else using Linux had gotten away from repressive prosecution elsewhere. You can't be that naive to think this is only (or even mostly) used for good.
Re: Another win for Linux! (Score:2)
Nobody's cheering for the criminals. We're rooting against Microsoft.
Re: (Score:2)
on point (Score:2)
Re: (Score:2)
Meh, it's probably used by trackers too.
Re: (Score:2)
There are lots of IDs in any machine. For example, the network card MAC address is unique as well. The point here is not the ID. The point is that it gets sent to Microsoft and they are willing and able to track people with it.
Re: (Score:2)
Re: (Score:2)
Oh come on Bill, we all know that you used Linux when traveling around with Jeff.
Re: (Score:2)
Re: (Score:2)
And the case doesn't really rely on the GUID, so it doesn't matter.
Re: (Score:2)
Re:GUID =/= unique (Score:5, Informative)
guid = "globally unique identifier", microsoft name for uuid, a standard (rfc4122) 128 bit identifier for all sorts of objects, keys, components, etc.
gdid = "global device identifier", a non-standard (windows) 128 bit identifier for devices generated from serial numbers on install.
in both cases the chance of collision is nearly zero, but not zero. guids however are generated on the fly, in the millions daily. fun times ahead?
Re: (Score:3)
Don't click here: https://wasteaguid.info/ [wasteaguid.info]
Re: (Score:2)
The chance of a collision is much, much smaller than the one of an undetected hardware error that creates a collision. And the chance of the latter happening is basically zero for all practical purposes.
No, my name is Linus (Score:2)
I am visiting my parents
Dear Microsoft, FU (Score:2)
"Microsoft played a key role in the process by providing GDID [Global Device Identifier] data to the FBI to help them apprehend the alleged criminal... [I]t's a unique identifier assigned to every Windows install that tracks device-specific telemetry."
Yeah, fuck Microsoft and Windows if not for this reason alone.
"Stokes' web activity, videogame history, IP addresses, tool usage (including Ngrok), Azure status, and more were logged with timestamps, and were provided to the investigators by Microsoft..."
Isn't
Re: (Score:2)
It's not as though that was not known already.
I wonder when his birthday is - he is 19 now, but how old was he 14 months ago?
(Looking at the second link - the pdf - he was born on December 3 2006 so he was 18 in May 2025)
The moral of this story (Score:2)
Is the fact that surveillance capabilities are being built into ( or already exist within ) much of the technology we use on a daily basis.
Even if you never plan on doing anything that would be considered criminal, if you utilize the tech, you should do so with the understanding
that everything you say and even places you go are likely being recorded and certainly can / will be used against you if the need ever arises.
While I no longer use a Windows OS as my daily driver and / or internet machine, who can sa
Re: (Score:2)
When booting with systemd you may send DNS requests to Google (hard coded default) before your VPN is connected. Sending your hostname to Google DNS on every boot takes only one unfortunate configuration option. You can only hope that logging all DNS requests would cost too much performance. But who knows ... Google has a lot of resources.
Re: (Score:2)
Nice! Funny how reasons to not use Systemd (in my case with non-systemd Debian, Devuan and Gentoo) becomes more and more of an advantage over time. I definitely made the right decision on that PoS back when.
Re: (Score:2)
It gets harder and harder not to run systemd. And I think some of the *ideas* (basically declarative and parallel startup) are nice, but the implementation sucks and is a feature creep. And I don't understand why anyone thinks journald would be a good idea. syslog does everything you need and there are a lot of solutions to effectively search the logs, find anomalies, visualize things and log to remote servers if needed. Just install rsyslog and configure it to your liking and you don't need a database for
Re: (Score:2)
You get somewhat limited in Distro-choice, agreed. But Devuan comes without by default and Gentoo lets you chose the Init-system. Non-systemd Debian also still works. Here is a list of some more: https://en.wikipedia.org/wiki/... [wikipedia.org]
but the implementation sucks and is a feature creep.
The designers of systemd do not understand Unix / Linux and why it is still around and actually growing. It is not by doing thing the Microsoft way. Which is what they have done.
And I don't understand why anyone thinks journald would be a good idea.
That one I can only attribute to abject stupidity. Because it very, very, very clearly is a really bad i
Hmmm (Score:3)
Re: (Score:2)
Indeed. I have stopped doing anything important on Windows.
In custody for now. (Score:5, Interesting)
Following the arrest, Stokes was extradited to the U.S., where he appeared in front of a federal court in Chicago for the first time on June 30, 2026, and he remains in custody, ...
Until he complains he was treated unfairly, ponies up some $$$, and gets a pardon from Trump. Maybe get a discount if he tries to blame his treatment on Biden or Obama. Trump's okay with white collar crimes, especially if he gets a cut.
Disable all telemetry on install (Score:3, Informative)
I just did a clean install of 11 (all should work with 11 as well), did the shift+F10 command prompt on setup to create a local account only and used O&OShutUp10, WinHance before I ever connected the machine to the internet and disabled all telemetry and involuntary communication with M$'s servers. Those two pieces of software are really handy.
Re: (Score:2)
Are you sure you got all of it? I won't rely on that.
Re: (Score:3)
That does not block all telemetry. It just prevents the connection of the telemetry to your MS account. They still send plenty of telemetry and the Win11 ID is very likely part of it. The only way to be sure is to either block all traffic with an external firewall or not to use Win11.
Why does his age matter? (Score:2)
Why was it somehow important to state his age?
A young adult criminal should surprise no one even in this era of grotesquely extended childish behavior.
Re: (Score:2)
Microsoft just got kicked out of all of European (Score:2, Informative)
governments for complying with the Republicans demanding to spy on the Dutch government. The Republicans didn't like European internet privacy regulations that were being proposed and wanted to spy on lawmakers working on it.
The EU has banned Microsoft Office and replaced with free software called Euro Office.
They're trying to ban Google from sending data to the US and EU governments are banning the use of Google Search replacing it with a French search company.
The French Government has banned the use of W
Re: (Score:2, Informative)
Use a VM, maybe even a VM in a VM (Score:4, Informative)
On the bright side ... (Score:4, Funny)
a May 2025 attack on a luxury jewelry dealer based in the United States.
Should have used Linux ... (Score:2)
Also this makes it amply clear what MS is using telemetry for and it is not fighting crime. It us user surveillance. They clearly have the capability and they clearly (being Microsoft) are using it.
Published, irrevocable proof that Windows is spywa (Score:2)
We must not forget this. They lied.
Re: (Score:2)
My takeaway would be: (Score:2)