A hooded figure fills the frame at a monitor
Scattered Spider, linked to over 100 attacks and $100M in ransom, often infiltrates via social engineering rather than code, as seen in the case of Peter Stokes. (Image is AI generated) IBTimes UK

Every Windows machine carries a quiet identifier called a Global Device Identifier, and US court papers have just shown it can tie a computer to a person's online activity even when that person hides behind a VPN. For British firms already battered by the Scattered Spider crime group, the lesson is uncomfortable: the anonymity your staff assume from a VPN stops at the network, not the device on their desk.

The identifier surfaced in a superseding criminal complaint filed in the Northern District of Illinois against Peter Stokes, a 19-year-old dual US-Estonian citizen accused of belonging to Scattered Spider. According to the complaint, a Microsoft representative described the Global Device Identifier, or GDID, as a persistent, device-level identifier that uniquely marks an installation of Windows. Investigators used it to place a specific machine at the scene of a hack.

What the Court Papers Actually Show

The detail that matters for privacy is how the trail was joined. Scattered Spider members used a tunnelling tool called ngrok and a commercial VPN to mask their traffic, per the complaint. Investigators obtained connection records from both providers, then asked Microsoft for its own records. Microsoft's data showed that at the exact minute the ngrok account was created, a Windows device carrying one specific GDID was active. The VPN hid the network path. It did not hide the machine.

That distinction is the whole story, and it is widely misunderstood. The GDID did not 'see through' the VPN. It sat entirely outside it, at the level of the operating system and its link to Microsoft's cloud, where a VPN offers no cover at all.

A Warning Britain Already Understands

Scattered Spider is not an abstract threat to UK boardrooms. The same group, also tracked as Octo Tempest and UNC3944, has been linked to attacks on Marks & Spencer, the Co-op, Harrods, Transport for London, and Jaguar Land Rover. The US Justice Department says the wider collective is tied to more than 100 intrusions and over $100M (£74.8M) in ransom payments.

Its method rarely involves clever code. In the case against Stokes, attackers allegedly phoned a company IT helpdesk posing as staff, talked their way into a credential reset, and seized administrator accounts within hours. The firm refused an $8M (£6M) ransom but still absorbed around $2M (£1.5M) in disruption and recovery costs.

Why Businesses Should Pay Attention to the ID Itself

For a company, the GDID raises a governance question that sits apart from the crime. It is a stable marker that Microsoft holds, links to IP addresses and activity, and can hand over to authorities under lawful demand. There is no published Microsoft policy setting out exactly when GDID data is shared, no consumer opt-out toggle, and no transparency report breaking out how often it happens. The case has spread quickly among security commentators, as the widely shared summary below illustrates.

Researchers who examined the identifier after the case stress what it is not. It is not generated from your hardware serial numbers, and reinstalling Windows produces a fresh one, so the wilder online claims overstate it. It is tied to the Connected Devices Platform that powers features like Phone Link, which means even a device set up with a local account still generates one. Turning it off is not a single switch.

For most businesses, the practical takeaway is not panic but perspective. A VPN is a network tool, and it protects the network layer. It was never designed to anonymise the endpoint, and treating it as blanket privacy is a mistake auditors and data-protection officers should note.

The Bigger Point for UK Data Governance

None of this makes Windows unusual. Apple and Linux systems keep comparable device identifiers, and providers routinely disclose stored data when served a valid legal order. The Stokes case simply dragged one of these quiet markers into open court and showed how precisely it can locate a machine.

For UK firms considering privacy promises, staff monitoring, and incident response, the message is clear: attribution now occurs at the endpoint, telemetry is more comprehensive than most realize, and the tools employees trust to stay private do not access the identifiers their operating system broadcasts. Whether regulators will take an interest remains an open question.