Connect with us

Security

FBI’s Digital Trail: How Windows Device ID Led to Alleged Scattered Spider Hacker

Published

on

Prosecutors in the United States have connected a suspected member of the Scattered Spider hacking group to a breach at a high-end jewelry retailer by tracing a persistent Windows device ID, as detailed in a recently unsealed federal complaint.

According to Microsoft records, this device ID was initially linked to the account utilized by the attackers to maintain access during the breach in May 2025, and later tied to online accounts associated with 19-year-old Peter Stokes.

Stokes, also known as “Bouquet” and a dual U.S.-Estonian citizen, is facing charges of conspiracy, computer intrusion, and fraud. He was extradited from Finland and appeared in court in Chicago on June 30. Stokes is considered innocent until proven guilty at trial.

Overview of the Breach

During the period of May 12 to 15, 2025, the attackers contacted the retailer’s IT help desk using Google Voice numbers, pretending to be employees locked out of their accounts. Through this tactic, they convinced staff to reset passwords and associated mobile devices connected to their multifactor authentication.

By gaining control of three accounts, including those of IT administrators, the attackers installed software tools like ngrok and Teleport, transferred data to Amazon cloud storage, and exfiltrated at least 77 gigabytes of information.

While an attempt to deploy ransomware was thwarted by the retailer’s security team, the attackers still demanded an $8 million ransom in cryptocurrency. The breach incurred approximately $2 million in costs for the company due to disruption, investigation, and remediation efforts.

The vulnerability exploited in this incident was human error at the help desk rather than a software flaw. The recommended solution involves implementing identity verification procedures before any password reset, such as callback verification, managerial approval, or video verification for privileged accounts. Additionally, using phishing-resistant multifactor authentication methods like FIDO2 keys can mitigate risks, although they are not foolproof if help desk procedures are compromised.

See also  Global Sharepoint ToolShell Cyberattacks: Targeting Organizations Worldwide

Identification of Stokes through Device Records

Investigators were able to trace Peter Stokes back to the device that initiated the ngrok account. Microsoft provided information indicating that the device had a Global Device Identifier g:6755467234350028, described as a persistent identifier associated with a single Windows installation that persists through operating system updates but changes upon Windows reinstallation.

Records show that this device accessed the ngrok signup page at 19:21 UTC on May 12, 2025, coinciding with the creation of the ngrok account, and later visited the retailer’s website through the same proxy three hours later.

Moreover, the device’s activity on various IP addresses aligned with Snapchat, Apple, and Facebook accounts linked to Stokes, including locations in Tallinn, Estonia, New York, and Thailand, as verified by State Department travel records.

The complaint details how the operator behind the attack attempted to conceal their actions using VPN proxies, tunneling tools, and aliases, but left traces that led back to them. Stokes’ social media presence, particularly on Snapchat, showcased extravagant displays of wealth and travel, providing further evidence against him.

Impact of Arrest on Cyber Threat Landscape

While the arrest of Stokes establishes a connection to a specific cyber incident, it does not eliminate the broader threat posed by groups like Scattered Spider. Recent research suggests that Scattered Spider is a decentralized collective of small cells sharing techniques, tools, and communication channels, similar to the Anonymous movement. Arresting individual members may not completely dismantle the threat.

Prosecutors attribute over 100 intrusions and more than $100 million in ransom payments to Scattered Spider. Despite law enforcement efforts, the group’s loose structure has enabled it to persist through multiple arrests.

See also  Unveiling the Speedster: Ferrari Amalfi Spider Set to Make Waves on March 12

Pattern of Prosecutions within Scattered Spider

Previous cases related to Scattered Spider follow a similar pattern of individual arrests while the group’s operational framework remains intact. Examples include the conviction of Tyler Buchanan for fraud and identity theft, Noah Urban’s sentencing for a SIM-swapping scheme, and the admission of two members involved in the Transport for London hack.

Stokes’ apprehension in Finland with seized hard drives underscores the importance of physical evidence in investigations of cybercrime. In a decentralized network like Scattered Spider, these drives could potentially reveal critical information essential for tracking down other members and disrupting their operations.

Transform the following:

Original: “I am going to the store to buy some groceries.”
Transformation: “I will be heading to the store to pick up a few groceries.”

Trending