U.S. prosecutors charged 19-year-old dual U.S.-Estonian citizen Peter Stokes over an alleged Scattered Spider intrusion in which attackers socially engineered a luxury retailer’s IT help desk, reset credentials and MFA, accessed privileged accounts, stole data, and attempted to extort the company for $8 million in cryptocurrency. Court filings say the May 2025 attack caused roughly $2 million in operational losses even though the victim restored access without paying, and investigators say at least 77 GB of data was exfiltrated during the breach.
Authorities said Microsoft telemetry played a central role in identifying Stokes, with a persistent Windows Global Device Identifier (GDID) tying activity from the intrusion to his device and online accounts. Investigators also linked infrastructure used in the attack, including ngrok tunneling and a Tzulo-hosted VPN proxy, before correlating the same identifier with accounts on Apple, Snapchat, Facebook, and Ubisoft/Growtopia across locations including Estonia, New York, and Thailand. Stokes was arrested in Finland while attempting to board a flight to Japan, extradited to the United States, and now faces federal charges including conspiracy, computer intrusion, wire fraud, and violations of the Computer Fraud and Abuse Act.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft publicly acknowledged the Windows Global Device Identifier (GDID), a persistent identifier associated with Windows installations using a Microsoft Account. Reporting said GDID is generated during provisioning, persists across updates, and lacks a standard user-facing option to view, reset, or disable it without affecting some Microsoft services.
A Justice Department complaint described how investigators used Microsoft’s Global Device Identifier, along with ngrok, Tzulo, and IP address records, to connect account activity to a Windows device allegedly tied to Peter Stokes in Estonia. The filing also alleged Scattered Spider accessed more than 100 corporate networks and obtained over $100 million in ransom payments.
Prosecutors allege Peter Stokes participated in a May 2025 social-engineering intrusion against a U.S. luxury jewelry retailer, using help-desk impersonation and MFA reset tactics to access privileged accounts. Attackers stole data, used ngrok for tunneling, exfiltrated at least 77 GB, and attempted to extort the victim for $8 million in cryptocurrency.
After extradition to the United States, Peter Stokes appeared in federal court in Chicago. He faces federal charges including conspiracy, computer intrusion, wire fraud, and Computer Fraud and Abuse Act violations.
Authorities arrested Peter Stokes in Finland while he was attempting to board a flight to Japan. The arrest was carried out with assistance from U.S. authorities, the FBI, Finland's National Bureau of Investigation, and Microsoft.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
12 references tracked. Mallory keeps watching after this page renders.
ghacks.net
Open sourcewindowslatest.com
Open sourcetomshardware.com
Open sourcecyberveille.ch
Open sourcetomshardware.com
Open sourcecyberveille.ch
Open sourcecyberveille.ch
Open sourcehelp.apple.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.