image of Microsoft's Secret Windows Identifier Helped The FBI Track A Scattered Spider Suspect - HelloExpress - 2

TLDR

  • The FBI identified a Scattered Spider suspect using Microsoft’s Global Device Identifier (GDID), a Windows-level fingerprint nobody agreed to.
  • The GDID tied his computer to suspicious ngrok traffic against a luxury jeweler, which led the FBI to a New York hotel — and a Snapchat selfie.
  • Reinstalling Windows does not delete the GDID; Microsoft still has the old one in its system.
  • Microsoft’s only public mention of the GDID is buried in an obscure Azure technical doc that nobody is likely to read.
  • macOS, Android, and iOS almost certainly have equivalent fingerprints — Linux is the only practical way to actually opt out.

How A Secret Windows ID Helped The FBI Track A Hacker

Most people know Windows collects a lot of telemetry. The exact mechanism of how that telemetry can finger a specific device — even across reinstalls — became painfully clear this week in the case of Peter Stokes, a 19-year-old extradited from Finland and accused of working with the criminal hacking crew Scattered Spider.

image of Microsoft's Secret Windows Identifier Helped The FBI Track A Scattered Spider Suspect - HelloExpress - 3

The FBI’s criminal complaint pins the identification on Microsoft’s Global Device Identifier, or GDID — a device-level fingerprint that Windows quietly assigns to every installation of the operating system. According to Microsoft, the GDID is “designed to uniquely identify an installation of a Windows operating system on a device.” In practice, that means every Windows install carries a serial number Microsoft can read back later, even on a virtual machine.

What Microsoft Actually Handed Over

According to the complaint, Microsoft gave investigators records tying Stokes’ machine to suspicious ngrok activity — a web tunneling tool that was being used to bypass defenses at “Company F, a luxury-jewelry retailer” and keep persistent access to its data center. Knowing the GDID gave the FBI a running history of IP addresses that device had touched.

image of Microsoft's Secret Windows Identifier Helped The FBI Track A Scattered Spider Suspect - HelloExpress - 3
image of Microsoft's Secret Windows Identifier Helped The FBI Track A Scattered Spider Suspect - HelloExpress - 5

To pin those IPs to Stokes specifically, the FBI cross-referenced the IP log against logins to accounts already linked to him — Apple, Snapchat, Facebook, and his Growtopia game account. One of the IPs traced to a New York hotel that investigators say matches the interior visible in a Snapchat selfie showing Stokes covering his face with a wad of $100 bills. That detail is unlikely to help his defense.

Charges against Stokes include conspiracy, cyber intrusion, and fraud offenses tied to over $100 million in ransom payments across more than 100 corporate intrusions since 2022. The legal process here used court orders and subpoenas — so this is the system working as intended. The privacy concern is what the system is capable of doing once it starts working on you.

Why The GDID Is Harder To Dodge Than You’d Think

The uncomfortable part of the GDID isn’t that it exists — every major commercial OS, including macOS, iOS, and Android, almost certainly has something equivalent. The uncomfortable part is how lopsided the consent model is around it. You’re never asked to agree to the GDID. There is no toggle in Settings to disable it, no privacy screen to click through, no checkbox to uncheck.

Reinstalling Windows gives you a new GDID for that device, but it doesn’t erase the previous one from Microsoft’s systems — so the identifier still travels with your hardware history. The only documented reference to GlobalDeviceId on Microsoft’s own site lives buried inside an obscure Azure Monitor table reference that no normal user is ever going to stumble across. That is the entire extent of Microsoft’s public disclosure.

For Windows users who care about this, the practical options are thin. Microsoft offers no first-party way to opt out of the GDID, and even privacy-focused workarounds like [skipping the Microsoft Account login during Windows 11 setup](https://helloexpress.net/guide-new-way-to-skip-microsoft-account-login-when-setting-up-windows-11-setup/) won’t strip it — the identifier is generated at the OS level, not the account level.

Our Take

It’s tempting to read this case as a crime story — and it is one — but the more useful frame is as a product story. Microsoft ships an identifier that is invisible to users, undocumented outside an Azure reference page, and survives the one move most people would think fixes privacy concerns (a clean Windows reinstall). That combination — invisible, permanent, undocumented — is the actual issue, not the fact that the FBI used it with a warrant.

For Malaysian users running Windows on a personal laptop, the honest answer is that you’re probably already in Microsoft’s identifier database whether you want to be or not. A VPN still helps — it keeps your IP and browsing history away from your ISP — but it does nothing to stop the OS itself from reporting a stable device fingerprint back to Microsoft on its own schedule. The only practical way to fully opt out of this category of tracking today is to switch to a Linux distribution, accept the equivalent risk on macOS, or just live with it.

The bigger question this case forces is one of ownership: when you buy a laptop, do you also buy the right to be the only one who can identify it? Microsoft’s current answer, in code rather than in policy, is no.

Source

You may also like

Leave a reply

Your email address will not be published. Required fields are marked *