Finnish Hacker's Arrest Exposes Microsoft's Persistent Windows Tracking ID

Published by

A 19-year-old hacker in Finland was arrested and extradited to the U.S. after FBI records linked his VPN activity to a persistent Microsoft Global Device Identifier. The unsealed complaint reveals how Windows tracks users across services, sparking renewed privacy concerns about "surveillance software" and the limits of digital anonymity.



Microsoft Tracks Users via Windows Device ID After Finnish Hacker's Arrest Exposes Persistent Fingerprint

A 19-year-old hacker in Finland just got his operational security blown by the operating system he was running. That's the message from a criminal complaint unsealed July 1, 2026, in the Northern District of Illinois, which lays bare how Microsoft tracks users through a persistent Windows Device ID, even when they believe they're anonymous.

Peter Stokes, a dual citizen of the United States and Estonia, is charged with conspiracy, computer intrusion, and fraud. According to the 39-page complaint, Stokes is an alleged member of Scattered Spider, a hacking group known as "Octo Tempest" or "0ktapus." The FBI arrested Stokes in Finland in April 2026 under an Interpol Red Notice and extradited him to the U.S. in early July.

Stokes is accused of helping Scattered Spider breach a luxury jewelry retailer in May 2025. The group exfiltrated data and demanded roughly $8 million in cryptocurrency. Security personnel evicted the threat actors, and the retailer refused to pay. The business suffered at least $2 million in losses from the disruption, investigation, and mitigation. Stokes is 19 years old. That's it.

Here's where the story gets sticky for privacy advocates. Stokes used a VPN. He thought he was hidden. The FBI didn't care. They subpoenaed Microsoft records, which linked his IP address to a Global Device Identifier, or GDID, tied to his specific Windows installation. That ID then showed up accessing specific web development tool pages and other sites. The fingerprint connected him to the crime.

Mstrack

The Global Device Identifier

Microsoft defines the GDID as a "persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device or virtual machine, across certain Microsoft services and scenarios."

Translation: it sticks to your Windows install like a shadow.

The ID survives reboots, persists over time, and works across Microsoft services without a clear opt-out mechanism. You might think you can reset it. You can't, not really. The complaint notes that reinstalling Windows changes the GDID string, but Microsoft can correlate the new ID with the old one using account logins or IP addresses. A "reset" just gives you a new string linked to the same history.

For Stokes, this was the fatal flaw. His GDID appeared in the evidence trail, linking his VPN session to a concrete device. The complaint details how investigators used this to build their case, despite the layers of anonymization he attempted.

"This case demonstrates the power of international law enforcement cooperation," said Assistant Attorney General A. Tysen Duva. "We will continue to partner to ensure that cybercriminals cannot evade the reach of the United States."

The FBI's Chicago Field Office led the investigation, with help from the Copenhagen Law Enforcement Attaché Office and Finland's National Bureau of Investigation. Prosecutors from the Northern District of Illinois handled the case.

What This Means for Privacy

Scattered Spider is no small fry. The group claims over 100 network intrusions and more than $100 million in ransom payments. They target U.S. companies through fraudulent pretenses, then encrypt data or exfiltrate it to remote servers. Last year alone, Americans reported over $20 billion in losses to cybercrime. That's a 26% jump in a single year.

Stokes is part of Operation Riptide, the FBI's ongoing campaign against cybercrime. The arrest shows that even groups with this kind of resources can be tracked by persistent device identifiers.

But at the same time, the complaint raises questions about how this tracking capability is used beyond high-profile arrests. Cybersecurity experts have begun calling Windows "surveillance software" because of this capability. The concern is the potential for mass surveillance without third-party cookies. The GDID doesn't need cookies, browser fingerprints, or your consent. It just needs Windows.

Can you protect yourself?

Experts suggest using alternative operating systems like Linux for enhanced privacy. Active management of the GDID through various tools is another option. But for the average user, the path forward is muddled. You can't easily remove the ID. Microsoft correlates new IDs with old ones. The infrastructure is there, and the legal framework allows law enforcement to access it with a warrant or subpoena.

Microsoft's official definition of the GDID sits somewhere between a technical specification and a legal shield. The company describes it as a tool to identify installations across services. The complaint shows it works just as well to identify users across crimes.

The criminal complaint is an allegation. Stokes is presumed innocent until proven guilty. The legal process will determine whether he is part of Scattered Spider and whether he played a role in the jewelry retailer breach.

However, the technical details in the document don't disappear just because of a presumption of innocence. The GDID exists. Microsoft tracks it. Law enforcement accesses it. The capability is established, and it's not going away.