The tradecraft was textbook. VPNs to shed his IP address. Proxy servers to launder his origin. Rotating infrastructure across Estonia, New York, and Thailand. By every operational-security measure that matters to a cybercriminal, Peter Stokes — the 19-year-old dual U.S.-Estonian citizen known online as “Bouquet” and charged as a member of Scattered Spider — was a ghost.

Except his own laptop was calling home the entire time, under a name he had never heard of and could not have turned off if he’d tried.

A federal complaint unsealed this month, and the Microsoft technical disclosures it triggered, revealed the thread that unraveled him: a persistent Windows telemetry fingerprint called the Global Device Identifier, or GDID. In Stokes’s case, one specific number — g:6755467234350028 — followed his Windows installation across every VPN and proxy he hid behind, for the better part of a year, until Microsoft handed the trail to the FBI. (We covered the Finland arrest and the US charges and extradition as they happened; this is the story of how investigators put a name to the ghost.)

The uncomfortable part isn’t that it caught a hacker. It’s what the same mechanism means for the other 1.6 billion people running Windows.

The Thread That Didn’t Break

Investigators built their case by correlating a single GDID across a chain of events no VPN could obscure — because the identifier lived above the network layer, baked into the Windows install itself. According to the complaint, the device behind g:6755467234350028 left a trail like this:

  • June 2024 — the device surfaces on IP addresses in Tallinn, Estonia
  • November 2024 — the same device appears on New York addresses
  • February 2025 — activity matches Thailand IP geolocation
  • May 12, 2025, 19:21 UTC — through a Tzulo VPN proxy, the device visits https://dashboard.ngrok.com/signup and creates an ngrok account within minutes
  • Three hours later — the same GDID, through the same proxy, accesses the website of the U.S. luxury jewelry retailer that was breached days later

The attackers behind that breach posed as locked-out employees on Google Voice calls, socially engineered the help desk into resetting passwords and MFA, installed ngrok and Teleport tunneling tools, exfiltrated roughly 77GB to Amazon cloud storage, and demanded $8 million in cryptocurrency — causing an estimated $2 million in damage. Classic Scattered Spider.

The genius of the investigation was mundane: VPN IP addresses changed constantly, but the underlying Windows installation kept reporting the same identifier to Microsoft every time. Investigators then matched the device’s IP geolocations against Snapchat, Apple, and Facebook accounts attributed to Stokes, and corroborated the Tallinn/New York/Thailand timeline against State Department travel records. The GDID was the spine; everything else hung off it.

What a GDID Actually Is

Before this court filing, virtually no one outside Microsoft’s enterprise documentation had heard the term. Microsoft had described it in exactly one sentence buried in an Azure Monitor reference table meant for IT admins — “an identifier used by Microsoft internally.” The complaint forced a fuller admission. Microsoft now defines GDID as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device.”

Here’s the technical chain, reconstructed from Microsoft’s disclosures and independent researchers:

  1. When Windows provisions against a Microsoft Account, the wlidsvc (Windows Live ID) service requests a Device PUID (Passport Unique ID) from login.live.com, returned in a SOAP response.
  2. That value is written in plaintext to the registry at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties, under the value name LID.
  3. The Connected Devices Platform (CDPSvc / cdp.dll) reads it and registers the device with Microsoft’s Device Directory Service.
  4. It’s formatted as g:decimal — hence g:6755467234350028 — when reported to services like Delivery Optimization.

Its defining property is persistence. The GDID survives operating-system updates. It only resets on a clean reinstall — and even then, the moment you sign back into the same Microsoft Account, Microsoft can correlate the new identifier to the old one. And you can’t simply switch it off: as the reverse-engineering community (notably the Massgrave project) documented, blocking GDID generation breaks Windows activation and UWP/Store apps. It is wired into licensing itself.

”It’s Just Metadata” — Again

If this argument sounds familiar, it should. In 2013, as the Snowden disclosures landed, the reassurance from officials was that bulk collection was “only metadata” — not content, just the record of who connected to what, when, and from where. Critics spent the next decade demonstrating that metadata, at scale and correlated over time, is often more revealing than content: it maps your movements, your relationships, and your patterns without ever reading a word you wrote.

GDID is that lesson rendered in Windows. No one at Microsoft is screenshotting Stokes’s desktop or reading his files through this identifier. It is “just” a device ID and some connection telemetry. But correlated across time and services — ngrok signups, website visits, IP geolocations, account linkages — that metadata was precise enough to place a specific human behind a specific keyboard across three countries and defeat every anonymity layer he deployed. The 2013 debate was about a spy agency most people would never encounter. This is the same capability, resident by default on the most popular consumer operating system on earth.

And it arrives on the heels of Microsoft’s own Recall controversy — the Copilot+ feature that periodically screenshots everything on your screen to build a searchable timeline of your activity, which security researchers warned was an attacker’s dream the moment it was announced. Recall was at least visible and toggleable, and the backlash forced Microsoft to make it opt-in and encrypted. GDID is the inverse: invisible, undocumented, and with no consent prompt and no off switch for the 1.6 billion people generating it.

Why Privacy Researchers Are Alarmed

The reaction from the security community has been blunt. Researcher Matthew Hickey flatly called Windows “surveillance software.” Others, including Costin Raiu, raised the obvious follow-on question: how much equivalent functionality sits undocumented on other platforms?

The specific objections are worth spelling out, because they’re structural, not hypothetical:

  • No consent, no disclosure. Apple’s advertising identifier requires an App Tracking Transparency prompt with a visible reset. Android exposes similar controls. GDID has no notification screen at all — it is created and transmitted silently.
  • No user-facing control. You cannot view your GDID, reset it, or disable it through any Windows settings interface. The mitigations that exist (below) only reduce surrounding telemetry — they don’t remove the identifier.
  • Account-level persistence. Because Microsoft can relink a fresh GDID to your account after a clean reinstall, the “nuclear option” of wiping the machine doesn’t guarantee a clean break.
  • Documented in a court filing, not a privacy policy. The public learned this identifier exists because federal prosecutors needed it to build a case — not because Microsoft disclosed it to the people it tracks.

The dual-use tension is real and worth stating honestly: this same telemetry helped put an alleged eight-figure extortionist in a Chicago courtroom, and few will mourn Stokes’s operational-security failure. But a capability that can deanonymize a career cybercriminal can deanonymize a journalist’s source, a dissident, an abuse survivor, or anyone whose safety depends on not being the person behind the keyboard. Investigative power and surveillance power are the same power pointed in different directions.

What You Can (and Can’t) Do About It

To be clear about the ceiling: you cannot fully disable GDID without breaking activation and Store apps. What you can do is shrink the telemetry that surrounds it and reduce how much of your activity gets correlated:

  1. Use a local account instead of a Microsoft Account where feasible — this is the single biggest lever, since GDID provisioning is tied to Microsoft Account sign-in.
  2. Turn off optional diagnostics: Settings → Privacy & security → Diagnostics & feedback → set to Required only.
  3. Kill the advertising ID: Privacy & security → Recommendations & offers (and General).
  4. Disable cloud search: Privacy & security → Search permissions → Cloud content search.
  5. For high-threat users, understand the hard limit: the only environment that doesn’t generate a Windows GDID is one that isn’t running Windows against a Microsoft Account at all. Threat models that depend on true anonymity should account for this.

The Real Takeaway

Peter Stokes will have his day in court, and the evidence against him looks formidable. But the lasting story here isn’t one hacker’s downfall — it’s that his arrest functioned as an accidental public disclosure. A persistent, unavoidable, undocumented tracking identifier has been running on well over a billion machines, and we found out because it was strong enough to defeat a professional criminal’s full anonymity stack.

The 2013 promise was that metadata was harmless. GDID is the receipt. The only difference is that this time the tracker didn’t belong to an intelligence agency — it shipped with the operating system, and it’s probably running on the device you’re reading this on.

Further reading

Sources