By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A 19-year-old walked through Helsinki airport in April 2026 carrying two 2TB hard drives and a ticket to Japan. He couldn’t make that flight. Finnish police stopped him on an Interpol Red Notice, and by July, US prosecutors had unsealed a federal complaint identifying him as Peter Stokes, an alleged member of the Scattered Spider hacking group, wanted over a May 2025 breach of a US luxury jewelry retailer that ended in an $8 million ransom demand. No, we haven’t suddenly turned into a crime reporting publication, but it was Microsoft that handed the FBI a way to trace Stokes’ Windows PC across VPNs, proxy servers, and three countries. The tool is called a Global Device Identifier, or GDID, and outside a handful of enterprise documentation pages, most Windows users had never heard the term before this case made it public. We went through the full 39-page complaint, cross checked it against independent reverse engineering of how Windows generates and transmits this identifier, and fact checked the technical claims since the story broke. Here is everything you need to know about GDID, how it caught Stokes, and what it means if you are one of the 1.6 billion people using Windows PCs.When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it. The PUID lands in your own registry hive, in plain text, at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link, cloud clipboard, and Nearby Share, reads that PUID and registers it into Microsoft’s Device Directory Service, which is the identity graph behind all of Microsoft’s cross device features. There, the number gets a lowercase g stuck in front and gets written as g:decimal. Delivery Optimization then reports that same value back to Microsoft’s servers as UCDOStatus.GlobalDeviceId every time your PC shares or downloads update data peer to peer. Now for the version in plain English: Sign into Windows with a Microsoft Account, and a server assigns your installation a permanent ID number. Windows stores it locally, several background services read it, and it gets stamped onto activity your PC reports back to Microsoft. Reinstall Windows and you get a new number, but Microsoft’s own records give every reason to link the new one back to the old, through the same account, OneDrive, and activation history, which is close to what happened to Stokes. Scattered Spider members phoned the jewelry retailer’s IT help desk from Google Voice numbers, posed as locked out employees, and talked support staff into resetting three accounts, two with administrator privileges. From there they installed a tunneling tool called ngrok to get past the retailer’s network defenses, moved roughly 77 gigabytes of data to Amazon cloud storage using ngrok and a second tool called Teleport, tried and failed to deploy ransomware, then sent a ransom email with the subject line “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic].” They asked for $8 million in cryptocurrency. The retailer refused, ate roughly $2 million in cleanup costs, and moved on. Investigators later subpoenaed ngrok and found the account used in the attack had been created on May 12, 2025, at 19:21 UTC from a VPN proxy IP address run by Tzulo, a hosting provider.The IP was a dead end. VPN proxies do that. But the GDID is built different. Microsoft’s records showed that at that exact same minute, a Windows device carrying GDID g:6755467234350028 had visited the ngrok signup page.Three hours later, the same GDID visited the retailer’s own website, through the same Tzulo proxy address used to set up the ngrok account. It gave the FBI a device, that don’t rotate the way VPN exit nodes do. From there the investigation turned into connecting dots. Once agents had a timeline of every IP address that device had used, they cross referenced it against known logins to accounts prosecutors already suspected belonged to Stokes: Nobody is arguing the wrong person got arrested. Stokes is accused, with the rest of Scattered Spider, of over 100 corporate intrusions and $100 million-plus in ransom payments, per the DOJ’s numbers. The system worked as intended here.What has researchers uneasy is everything else the case reveals. Costin Raiu, a well-known malware researcher, asked on the Three Buddy Problem podcast how much of this exists on other platforms, and whether it is linked more permanently to hardware. Matthew Hickey, another security researcher, called Windows “surveillance software”. More indepth details can be found on OUR FORUM.

Microsoft’s aggressive, multi-billion-dollar push into artificial intelligence was supposed to be a flawless victory. The integration of Copilot into Windows 11, Microsoft 365, and GitHub was designed to usher in a new era of agentic computing. Yet, beneath the polished keynote presentations and massive infrastructure investments, a dramatically different reality is what we saw. As first reported by Windows Latest, according to a highly respected former Microsoft executive, the company’s AI strategy is fundamentally failing to connect with real users, spurring calls for a massive internal “factory reset.” The executive in question is Mat Velloso, who was most recently the Vice President of Product for the Developer Platform at Meta’s Superintelligence Labs. He also led AI developer products at Google DeepMind (including the Gemini API and Google AI Studio). But before his stints at Google and Meta, Velloso spent over 12 years at Microsoft, where he served as a Partner Director managing AI innovation in Windows and, interestingly, spent four years as the Technical Advisor to Microsoft CEO Satya Nadella. When someone with Velloso’s resume, having observed the AI arms race from the highest levels of Microsoft, Google, and Meta, says Microsoft has “missed the AI wave,” it can rip the lid off the deep tensions within Redmond. Microsoft’s behavior over the last few months is nothing short of shocking. Both the Windows and Xbox divisions suddenly started prioritizing user feedback and implementing requested features after years of ignoring them. It’s also not a small task to assemble and organize OEMs, ODMs, and chipset vendors in an event like WinHEC that had its last occurrence almost a decade ago (2018). Explaining this sudden pivot to listening to customers, Velloso remarked that despite making Bing the company’s biggest AI bet, it failed to capture a single percentage point of search market share from Google. More damning is the state of Copilot. According to Velloso, less than 3% of paying users actively use Copilot, even though Microsoft has pre-deployed it directly into the Windows 11 taskbar and across the Office suite. Out of Microsoft’s 450 million Microsoft 365 user base, the company has only managed to convert roughly 15 million paid Copilot seats. This means a staggering 96.7% of users are rejecting the premium AI features, yielding just a 3.3% paid adoption rate. When viewed against Microsoft’s estimated $37.5 billion quarterly AI spending, this is an alarmingly low adoption rate. But it’s not just software; Velloso also called out the current state of AI hardware. Over the past year, Microsoft has heavily pushed OEMs to include Neural Processing Units (NPUs) in their latest laptops to power advanced Windows 11 capabilities. We have tracked Microsoft’s push for NPU-powered AI features in Windows 11, but as Velloso noted, OEMs invested heavily in NPUs only to find out that “nobody cares because not a single valuable usecase was built for those in Windows/Office.” All this friction appears to be taking a toll on Microsoft’s leadership. Recently, news broke that Julia Liuson, the highly respected head of Microsoft’s Developer Division (DevDiv), was retiring after 34 years with the software giant. While official channels framed this as a standard retirement, Mat Velloso critiqued the news, saying, “Looks like Microsoft just went from hit refresh to hit factory reset.” He also listed a massive string of high-profile departures and reassignments across the company, including leaders from Xbox, GitHub, AI Infrastructure, Teams, and OneNote. This public commentary drew the ire of Frank X. Shaw, Microsoft’s Lead Communications executive. Shaw replied to Velloso, defending the departing executives and accusing Velloso of jamming a “negative frame” onto normal corporate retirements. All Velloso had to do was point out the harsh financial realities that the market is currently digesting. He moved from Microsoft to Google in early 2024, and while Google’s shares surged by roughly 230%, Microsoft’s stock growth remained essentially flat at 0%. Apart from the internal challenges, Microsoft is increasingly being affected by its closest allies. The company has staked its entire generative AI future on its multi-billion-dollar partnership with OpenAI. However, OpenAI is rapidly building out its own enterprise infrastructure, threatening Microsoft’s historic dominance in the corporate sector. Just days ago, OpenAI officially launched the “OpenAI Deployment Company” (DeployCo), a new business unit backed by over $4 billion in initial investment from global firms. This new venture features 150 “Forward Deployed Engineers” (FDEs) tasked with embedding directly into Fortune 500 companies to help them build and deploy custom AI solutions. Historically, this hands-on, enterprise-level consulting was Microsoft’s bread and butter. As Velloso reminisced about his early career as a consultant, he noted that Microsoft’s incredible penetration into large enterprises was built on “armies of people spending time, listening, understanding business goals and solving them with technology in every industry vertical.” Despite these severe criticisms, Velloso defended his former employer against apocalyptic tech media narratives. When a prominent tech publication recently claimed that “AI is killing Microsoft” and compared their current trajectory to the disastrous 2008 era, Velloso stepped in to shut the narrative down. “Nope, they are not dying,” Velloso stated. “I know I criticize them a lot and that’s because I care, but boy if you think Microsoft is dying you haven’t watched how many times they recovered from problems.” He pointed out that while AI startups and labs might be building flashy deployment companies, completely replacing legacy enterprise software is incredibly difficult. When asked about companies claiming they can fully automate software businesses, Velloso recommended talking to Fortune 500 CIOs to see how realistic that really is. “There’s a reason why all the top AI labs are hiring large consulting teams,” he explained. “The last mile is the hardest and Microsoft has the best distribution for that. Their moat is unbreakable.” For more visit OUR FORUM.

Updated February 22 with details of previous PayPal security incidents and warnings, further advice for those impacted by the confirmed PayPal Working Capital data breach, which prompted transaction refunds and account password resets, and as a statement from a PayPal spokesperson. Some PayPal users have started to receive email from the company confirming a data breach that exposed personal information to a threat actor who gained access to PayPal’s systems, leading to some seeing unauthorized transactions on their accounts and the resetting of passwords. Here’s what you need to know. A breach notification letter, which I have verified myself, has confirmed that some PayPal users have been impacted by a data breach after a hacker gained access to PayPal systems on July 1, 2025. The hacker apparently had access until December 12, 2025 when PayPal discovered the security incident. The breach, according to the notifications, which are dated February 10, impacted some users “due to an error in its PayPal Working Capital (“PPWC”) loan application.” It remains to be seen how the attacker access evolved, of course, as this remains something of a developing story and PayPal has yet to explain this in any detail beyond a “code change” being responsible. However, following publication of this article, a PayPal spokesperson provided the following statement: “When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.” I am currently awaiting clarification regarding the seeming disparity between the statement saying that “PayPal’s systems were not compromised,” and the notification, which stated that following an investigation, the company had “terminated the unauthorized access to PayPal’s systems.” I will add another update if and when such a clarification is forthcoming. “Upon learning about this unauthorized activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorized actors from obtaining further personal information,” the PayPal notification stated. It would, however, be nice to know why it took a whole six months for PayPal’s security team to notice the exposure to unauthorized individuals, as mentioned in the breach notification itself. That’s a huge window of opportunity for attackers, and we should be grateful that so few accounts were potentially impacted before it was closed for good. PayPal has also confirmed that “a few customers experienced unauthorized transactions on their account,” and we now know that this was a very small number, 100 according to the spokesperson who contacted me. PayPal confirmed that it has already issued refunds to those customers who were impacted. I have covered many previous PayPal security warnings, which have mostly concerned phishing attacks delivered by email, text, or phone, although, if you stretch back as far as 2023, there was another breach. I reported on this at the time, confirming that a total of 34,942 PayPal accounts had been accessed by attacks using a credential stuffing attack methodology. Such attacks involve threat actors deploying an automated process in an attempt to access accounts with login credentials that have been compromised in some way, often credentials that have been reused between accounts and subsequently breached at one of them. Lists of such breached credentials are readily available on the dark web. In December, 2025, I reported how attackers were using legitimate infrastructure to bypass email authentication protections when delivering malicious messages disguised as genuine PayPal support communications. On this occasion, the PayPal billing subscriptions feature was being abused by hackers in an attempt to steal your user account credentials. At the time, a PayPal spokesperson told me: “PayPal does not tolerate fraudulent activity, and we work hard to protect our customers from consistently evolving phishing scams. We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.” More complete details can be found on OUR FORUM.