Suspected Scattered Spider Member Unmasked Via Device Telemetry After Death Threat
A 19-year-old suspected member of the Scattered Spider cybercrime group, Peter Stokes, was reportedly identified and apprehended through the use of Microsoft's Global Device ID (GDID) telemetry, following a death threat made to a cybersecurity researcher.

Federal investigators have reportedly unmasked a 19-year-old suspect, identified as Peter Stokes, who is believed to be a member of the notorious Scattered Spider cybercrime group. The breakthrough in identifying Stokes, an American-Estonian citizen, allegedly came through the analysis of Microsoft's Global Device ID (GDID) telemetry data, a unique identifier for Windows operating system installations. Stokes faces charges including criminal conspiracy, fraud, extortion, and computer crimes, stemming from an alleged $8 million ransomware extortion attempt against a luxury jewelry retailer.
The affidavit supporting the charges details how Microsoft telemetry, linked to Stokes' GDID, tracked his activities from at least 2024 through 2025. This data allegedly connected him to various illicit activities conducted under the Scattered Spider banner. Researchers note that Scattered Spider is believed to have originated from a younger, Western-based hacking community known as "The Com." The GDID, described as a persistent, device-level identifier, is assigned upon operating system installation and can uniquely identify a specific Windows installation on a device.
However, the path to Stokes' apprehension may have begun even earlier, with a significant misstep involving a threat made to cybersecurity researcher Allison Nixon, chief research officer at Unit 221B. Around September 2022, Stokes allegedly sent Nixon death threats after being mistakenly informed she was investigating him. Nixon, who was not investigating him at the time, leveraged her professional network to privately alert major internet service providers, social media companies, telecommunications firms, and financial institutions about the threat actor.
Nixon stated that this information marked Stokes as a target, and he was "doxed quickly and shared between the companies." These entities then reportedly monitored his activities in secret for years without his knowledge. The FBI affidavit corroborates this surveillance, detailing instances where the same GDID was traced to an IP address at Stokes' residence in Tallinn, Estonia, in June 2024. Further telemetry showed the GDID accessing Stokes' Apple and Snapchat accounts from a New York City IP address in November 2024, coinciding with his documented travel to the city.
The affidavit also outlines a specific incident in May 2025 where the GDID, linked to an ngrok software account, was used to connect to the website of "Company F," the luxury jewelry retailer. Investigators allege that Stokes and his co-conspirators used tools like Teleport.sh to exfiltrate approximately 77 GB of data from the retailer, storing it in an Amazon S3 instance. They then allegedly demanded $8 million in cryptocurrency for the deletion of this data.
While the GDID played a crucial role in linking Stokes to his devices and online activities, experts caution that it was not the sole piece of evidence. Affidavits typically present only enough evidence to establish probable cause, with additional evidence reserved for trial. The case serves as a stark reminder that even sophisticated cybercriminals can make critical errors that expose their digital footprint.
Nixon emphasized that Stokes was "a marked man before the events described in his criminal charges started." She added that he was caught before he became cautious, and even when he did adopt more careful practices, the companies already possessed his behavioral patterns, leading to repeated detections. This suggests a pattern of behavior that, once flagged, made subsequent evasions increasingly difficult.