By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A 19-year-old walked through Helsinki airport in April 2026 carrying two 2TB hard drives and a ticket to Japan. He couldn’t make that flight. Finnish police stopped him on an Interpol Red Notice, and by July, US prosecutors had unsealed a federal complaint identifying him as Peter Stokes, an alleged member of the Scattered Spider hacking group, wanted over a May 2025 breach of a US luxury jewelry retailer that ended in an $8 million ransom demand. No, we haven’t suddenly turned into a crime reporting publication, but it was Microsoft that handed the FBI a way to trace Stokes’ Windows PC across VPNs, proxy servers, and three countries. The tool is called a Global Device Identifier, or GDID, and outside a handful of enterprise documentation pages, most Windows users had never heard the term before this case made it public. We went through the full 39-page complaint, cross checked it against independent reverse engineering of how Windows generates and transmits this identifier, and fact checked the technical claims since the story broke. Here is everything you need to know about GDID, how it caught Stokes, and what it means if you are one of the 1.6 billion people using Windows PCs.When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it. The PUID lands in your own registry hive, in plain text, at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link, cloud clipboard, and Nearby Share, reads that PUID and registers it into Microsoft’s Device Directory Service, which is the identity graph behind all of Microsoft’s cross device features. There, the number gets a lowercase g stuck in front and gets written as g:decimal. Delivery Optimization then reports that same value back to Microsoft’s servers as UCDOStatus.GlobalDeviceId every time your PC shares or downloads update data peer to peer. Now for the version in plain English: Sign into Windows with a Microsoft Account, and a server assigns your installation a permanent ID number. Windows stores it locally, several background services read it, and it gets stamped onto activity your PC reports back to Microsoft. Reinstall Windows and you get a new number, but Microsoft’s own records give every reason to link the new one back to the old, through the same account, OneDrive, and activation history, which is close to what happened to Stokes. Scattered Spider members phoned the jewelry retailer’s IT help desk from Google Voice numbers, posed as locked out employees, and talked support staff into resetting three accounts, two with administrator privileges. From there they installed a tunneling tool called ngrok to get past the retailer’s network defenses, moved roughly 77 gigabytes of data to Amazon cloud storage using ngrok and a second tool called Teleport, tried and failed to deploy ransomware, then sent a ransom email with the subject line “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic].” They asked for $8 million in cryptocurrency. The retailer refused, ate roughly $2 million in cleanup costs, and moved on. Investigators later subpoenaed ngrok and found the account used in the attack had been created on May 12, 2025, at 19:21 UTC from a VPN proxy IP address run by Tzulo, a hosting provider.The IP was a dead end. VPN proxies do that. But the GDID is built different. Microsoft’s records showed that at that exact same minute, a Windows device carrying GDID g:6755467234350028 had visited the ngrok signup page.Three hours later, the same GDID visited the retailer’s own website, through the same Tzulo proxy address used to set up the ngrok account. It gave the FBI a device, that don’t rotate the way VPN exit nodes do. From there the investigation turned into connecting dots. Once agents had a timeline of every IP address that device had used, they cross referenced it against known logins to accounts prosecutors already suspected belonged to Stokes: Nobody is arguing the wrong person got arrested. Stokes is accused, with the rest of Scattered Spider, of over 100 corporate intrusions and $100 million-plus in ransom payments, per the DOJ’s numbers. The system worked as intended here.What has researchers uneasy is everything else the case reveals. Costin Raiu, a well-known malware researcher, asked on the Three Buddy Problem podcast how much of this exists on other platforms, and whether it is linked more permanently to hardware. Matthew Hickey, another security researcher, called Windows “surveillance software”. More indepth details can be found on OUR FORUM.