The Digital Trail That Led to an Arrest
Federal prosecutors have linked a suspected member of the notorious Scattered Spider hacking group to a brazen cyberattack on a luxury jewelry retailer — not through a flashy zero-day exploit or a sophisticated piece of malware, but through a persistent Windows device ID. The detail emerged from a newly unsealed complaint filed in U.S. district court.
The ID, a unique identifier tied to a specific Windows machine, allowed investigators to connect the dots between a breach that occurred in May 2025 and a 19-year-old suspect named Peter Stokes. According to the complaint, Microsoft records showed that the same device ID was used to maintain access to the retailer’s network after the initial intrusion.
From there, the trail led to online accounts prosecutors say belong to Stokes. It’s a reminder that in the world of cybercrime, even the most careful attackers can leave behind a breadcrumb that law enforcement can follow.
What Is a Windows Device ID and Why Does It Matter?
A Windows device ID, sometimes called a hardware ID or machine GUID, is a unique string generated by the operating system during installation. It’s not something most users ever see, but it’s embedded deep in the system and persists even after clean reinstallations if the hardware remains the same.
For investigators, that persistence is gold. Unlike IP addresses, which can be masked with VPNs or proxies, or browser fingerprints, which users can clear, a device ID is much harder to spoof. It ties a specific piece of hardware to a specific set of actions, creating a forensic link that’s difficult to break.
In this case, the ID didn’t just show up once. It was used repeatedly during the jewelry retailer intrusion, appearing in logs that tracked the attackers’ movements inside the network. That gave the FBI a stable anchor point to build their case.
The Breach: A Luxury Retailer’s Nightmare
The target was a high-end jewelry chain — the kind of store that sells pieces worth more than most people’s cars. The attackers, allegedly part of the Scattered Spider collective, gained initial access through a combination of social engineering and credential theft. Once inside, they moved laterally, escalated privileges, and planted backdoors to ensure they could return.
But they made a mistake. One of the machines they used to access the network was running a copy of Windows that reported a device ID back to Microsoft’s servers. That ID was later cross-referenced with account creation logs for cloud services, email providers, and even gaming platforms.
Prosecutors say the same ID appeared in records for accounts that Stokes controlled. It wasn’t the only piece of evidence, but it was a crucial one — the kind of technical detail that turns a circumstantial case into a direct one.
Who Is Peter Stokes?
Stokes, 19, is not a household name. But according to the complaint, he was an active participant in the Scattered Spider ecosystem — a loose network of hackers known for targeting large corporations, often through SIM-swapping and phishing. The group has been linked to high-profile breaches at Caesars Entertainment, MGM Resorts, and other major brands.
What sets Stokes apart is his age. At 19, he’s barely out of high school, yet the complaint describes a sophisticated operation involving stolen credentials, remote access tools, and cryptocurrency laundering. The case highlights a troubling trend: the average age of cybercriminals is dropping, and the tools they use are becoming more accessible.
How the FBI Pieced Together the Evidence
The investigation didn’t start with a device ID. It started with a call from the jewelry retailer’s IT team, who noticed unusual activity on their network after hours. The FBI’s cyber division took over, pulling logs from firewalls, servers, and endpoints.
Here’s what they found:
- A series of login attempts from IP addresses linked to known proxy services.
- Unusual file transfers during off-hours, including database exports and configuration files.
- Evidence of a backdoor account created with administrative privileges.
But the real breakthrough came when investigators subpoenaed Microsoft for telemetry data. The Windows device ID appeared in the logs of the machine used to create the backdoor account. That ID was then matched to a Microsoft account that showed the same hardware fingerprint. From there, it was a short jump to email addresses, social media profiles, and finally, to Stokes.
The complaint unsealed this week is just the beginning. Stokes has not yet entered a plea, and his attorney has declined to comment. But the case is already being watched closely by cybersecurity professionals, who see it as a sign that law enforcement is getting better at exploiting the digital exhaust that attackers leave behind.
What This Means for Cybersecurity and Privacy
The use of Windows device IDs in criminal investigations raises questions that go beyond this single case. On one hand, it’s a powerful tool for catching bad actors. On the other, it highlights how much telemetry data flows from our devices to companies like Microsoft — data that can be turned over to law enforcement with a subpoena.
For now, the message is clear: if you’re using a Windows machine to commit a crime, you’re leaving a signature that can follow you. And as forensic techniques improve, that signature is getting harder to erase.
The Scattered Spider case is far from over. But for the FBI, the trail of digital breadcrumbs — starting with a single device ID — has already led to a suspect.