Microsoft device telemetry key to unmasking alleged Scattered Spider hacker
4 hours ago
- #Extradition
- #FBI Investigation
- #Cybercrime
- Peter Stokes, a 19-year-old American-Estonian, was extradited from Finland to the U.S. on hacking charges linked to Scattered Spider.
- An FBI affidavit ties him to an $8 million ransom demand via a Microsoft Global Device Identifier (GDID) that was unmasked despite VPN use.
- Microsoft's cyber security researchers provided the GDID, which is used for diagnostics and abuse detection, after a court order based on ngrok service records.
- The GDID's IP history matched logins to Stokes's Snapchat, Apple, and Facebook accounts in locations like Tallinn, New York, and Thailand.
- Snapchat logs were crucial, showing posts of lavish travel and wealth, with IP addresses aligning closely with GDID access times.
- Apple and Facebook records further corroborated login overlaps in New York, Thailand, and Tallinn dating back to June 2024.
- Stokes faces six charges, including four related to the ransom demand against a luxury goods retailer and two for conspiracy within Scattered Spider.
- His arrest occurred on April 10 in Finland while boarding a flight to Japan, as part of the FBI's Operation Riptide targeting Scattered Spider's extensive cybercrimes.