Notorious hacker's arrest sparks backlash over Microsoft’s excessive device tracking
The internet is only now finding out about the depth of Windows Telemetry, after Windows GDID helped catch Peter Stokes, a notorious hacker from the Scattered Spider hacking group.

Image by Cybernews.
- The FBI arrested hacker Peter Stokes by tracking his persistent Windows GDID identifier.
- Windows GDID, an installation-specific tracker, remained consistent despite the hacker's use of VPNs.
- Users are expressing significant unease over Microsoft’s opaque data collection practices.
The FBI caught Peter Stokes, a notorious 19-year-old hacker, despite his best efforts to hide behind VPNs, remote connections, and rotating IP addresses. Microsoft accurately fingerprinted his PC and exposed the hacker via the persistent GDID identifier. The “amount of spying” is now fuelling a massive backlash among Windows users on social media.
The suspected member of Scattered Spider, a hacking and extortion group, is facing criminal charges in the US. Meanwhile, many Windows users are only now finding out that their devices are fingerprinted and can be tracked online.
The official complaint against Stokes reveals that the hacker was caught after his online activity was tracked using GDID.
GDID, or a Global Device Identifier, is persistent, tied to the Windows installation, and designed to identify the instance of the OS across certain Microsoft services and scenarios. Only reinstalling Windows assigns a new GDID.
The GDID remained constant despite Stokes cycling through IPs, VPNs, and remote desktop connections.
Stokes used the same device to create an ngrok account through a VPN. Ngrok is a legitimate tunneling service commonly used to reach systems behind firewalls, but the hacker used the software to bypass network defenses and maintain persistent unauthorized access.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
While the FBI tracked the ngrok account used to penetrate corporate networks, they also matched the device’s GDID to IP activity in Tallinn, New York, Thailand, and other locations.
The hacker, also known as “Bouquet,” “Spencer,” and “Jordan,” used the same device to play Growtopia and to access Snapchat, Apple, and Facebook accounts. He posted selfies hiding his face behind hundred-dollar bills, showing off numerous watches or diamond-encrusted chains with the words “Hack the planet.”
Stokes even posted from a Police station in Estonia, comparing himself to Raymond Reddington. He boasted that “Feds don't know what they just fumbled…”
Bragging on social media about a lavish lifestyle helped match hotel photos and travel records. The hacker was arrested in Helsinki while attempting to board a flight to Japan and was later extradited to the US, where he’s accused of breaching a luxury-jewelry retailer, and, likely, other cybercrimes.
Outburst of backlash on social media
The use of GDID to track down Stokes is sowing distrust on social media over Microsoft’s data collection practices. Many users appear unaware of the existence of such an identifier, or that it can be used to share data with law enforcement.
“Glad a cybercriminal got put away, but another good reason to switch to Linux,” one user posted on Reddit.
A privacy researcher who goes by the alias IT Guy on X argues that Microsoft has no public policy on when it shares GDID data, no known opt-out mechanism, and no transparency reports covering GDID disclosures. It's likely that Microsoft is quietly filing other criminal referrals using similar techniques.
Malware researchers at vx-underground note that Microsoft’s GDID device-tracking played a critical role, though it was mostly undocumented.
Gamers Nexus, a major YouTube tech review channel run by Steve Burke, posted that they hate Windows and that only one remaining software suite keeps them on the OS. It’s unclear whether it is related to the FBI investigation.
“The amount of spying is unbelievable at this point, and the pain to find alternatives to all my old tools is at this point lower than the concerns Microsoft introduces,” the post reads.
Massgrave, a piracy group developing activation scripts for Microsoft products, shared an explanation that the Windows installation process connects to the internet, sends hardware information, and receives identifiers in return.
The device tokens are later used in communicating with the Microsoft Store, Windows activation, and other services.
“It's impossible to prevent Windows from getting a GDID without breaking activation and UWP app,” Massgrave warned.
“Knowing all this, what can we do? The best answers are the most obvious: disable as much telemetry as you can (pirate Education or Enterprise for their better telemetry settings), don’t use Microsoft accounts, and don’t use Microsoft Edge.”
Many experts warn that simply reinstalling Windows and getting a new GDID achieves nothing – the new GDID can be easily tied to the same underlying hardware and Windows account.