Your computer already told on you
not a hack. a feature
This article is a bit of a technical one, but no less important than any other I’ve posted so far. Maybe even more important as it’s THAT insidious!
First they came for the hacker
And I did not speak out
Because I was not a hacker
Then they came for the journalists
And I did not speak out
Because I was not a journalist
Then they came for the dissidents
And I did not speak out
Because I was not a dissident
Then they came for me
And there was No1 left
To speak out for me
— paraphrased from Niemöller’s poem
His name is Peter Stokes, and for a hacker, he did mostly everything right.
He had his VPN up the whole time. Traffic was tunnelled through ngrok. IP addresses were hopping between Tallinn, New York and Bangkok like a man working three frequent-flyer schemes at once.
Nineteen years old, dual US-Estonian, and allegedly running with Scattered Spider, an extortion crew that’s pulled in over $100 million across a hundred-plus breaches.
Didn’t matter. one. single. bit.
Maybe first a few technical terms out of the way for the people unaware of those:
IP: See this as your home-address, but online. If the gov has your IP, they know who you are (more or less - not going into too much detail here so stop nitpicking - yes yes, talking to my fellow nerds here :wink:).
VPN: this is (mostly) a software solution that encrypts your traffic and shoves it through someone else’s server first, so whoever’s watching sees that server, not you.
ngrok: a legitimate tool developers use to expose a local server to the internet. Also, apparently, popular with people running extortion schemes who need their traffic to look like it’s coming from nowhere in particular. Purely coincidental, I’m sure.
IP hopping: bouncing your connection through different countries so each request looks like it came from a different place.
On May 12 last year, at 19:21 UTC, someone opened ngrok’s signup page and created the account later used to break into a US jeweller for an $8 million ransom.
Microsoft’s own logs, quoted in the federal complaint, show which machine opened that page, down to the minute. NOT the address the VPN was busy disguising. The machine itself.
That’s more or less the whole article.
So you can stop reading now if you want.
The why and how, THAT is what got me all wired up today.
If you’re using a VPN, you’re supposed to be protected as your real IP isn’t known. So the FBI didn’t know it. VPN is still secure. It’s equally useless now this secret is out in the open.
So pray tell… How did they get to this guy’s name?
They called Microsoft.
Windows has something called a GDID - the Global Device Identifier. It comes straight from Microsoft’s telemetry, and if you have Windows 10 or 11, you have been quietly reporting your own details this whole time. No matter where you are, or hop to in this case.
So pray tell… What IS this GDID?
Glad you asked… I would have never told you otherwise /s
A GDID is, without diving into that acronym soup, is something that every Windows installation gets. It’s not a hardware ID, because hardware can change, it’s passed down the first time your computer reports back to Windows (and oh boy, they REALLY like to call back!!).
Each fresh Windows installation gets a new GDID. Which stays with you forever and ever until the end of time (or until you erase that spyware masking as an operating system).
Think about it like a membership card you never asked for and can’t send back.
And no matter what you do, updates, change a harddrive, add more memory, whatever… It sticks. ONLY that clean reinstall will get you a new one. And even then Microsoft’s side of the ledger still keeps the old one, history attached. So if your reinstallation happens to be from the same IP as the old history? It still can get traced back to you.
Now every time you boot into Windows, a background service registers your device into Microsoft’s internal directory. One user’s own support thread has that service shovelling 250 to 300 megabytes home on a single startup.
Per boot. For a name tag. I’m pretty sure it’s more than a name tag which gets sent.
Separately, there is this update-sharing service that reports the exact same number next to your IP and rough location. Another diagnostics pipeline uploads batches on its own schedule. And if your telemetry sits anywhere that is not equal to “turned completely off”, those batches can carry the web addresses of your browser and the URLs your Defender has been checking against Microsoft in real time.
The GDID rides along with every lookup.
Which brings me back to our (unfortunate) hacker… Those background services are almost certainly how “opened ngrok’s signup page” got a timestamp accurate to the minute. They didn’t even had to guess. Windows knew who you were all along.
Nobody asked you to opt in to any of those channels.
There’s not even an off-switch for this, and no, it’s not what the “Diagnostic data” slider controls. That slider is the digital equivalent of asking the universe to pretty please be quiet. The universe remains annoyingly chatty anyway. Much like Windows.
Normally when you install Windows they ask you to register with a Microsoft account, but there is a workaround: a local account.
However, this doesn’t save you either. There’s a fallback baked in that registers the device anyhow. No human interaction necessary.
Now if you’re curious, you can find this via regedit at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties.
That value converts to the exact format that turned up in the indictment.
Good you know that it’s there. But don’t go pasting this anywhere public: that specific number, plus your account, plus a device detail or two, is PRECISELY the combination that gets someone found.
You don’t go posting your ID card either right?
None of this is hidden, exactly. It’s in Microsoft’s own Azure documentation, described in one flat sentence as an identifier “used by Microsoft internally”.
Technically true. Technically a shark is a fish.
Stokes handed over the rest for free. So maybe not the smartest guy in the room, but give him some slack, he’s only 19…
Snapchat photos of cash, watches and a diamond chain spelling “HACK THE PLANET”.
A selfie from an Estonian police station, captioned about how the feds had no idea what they’d just let walk.
He did great with the VPN, and ngrok. But then couldn’t help but post his own location to the internet with a taunt attached.
Once the GDID tied his device to that ngrok account, the rest was bookkeeping: Apple, Facebook, Snapchat, even a Growtopia login, all lining up on the same IPs, cross-checked against his State Department travel records. Tallinn in one window. New York in another. Thailand after that.
The VPN hid where the traffic came from. But it never mattered.
I think it’s good riddance as those people are not innocent. I mean, they drained businesses for millions!
But the tool that caught him doesn’t check anyone’s intentions. It’s always-on on every Windows 10 and 11 machine on the planet.
There’s no published policy on when Microsoft hands that data to a government, no opt-out for anyone who’d rather not be found, and no report telling you how often this already happened quietly, to people who never make the news.
Oh, and before you go rushing off to the nearest Apple Store. Mac ain’t a refuge.
Because GDID was already taken, they called it DSID (Directory Services Identifier). Similarly, it’s a permanent number welded to your Apple ID. And Apple has your full name, phone number, birth date, email address, …
Their analytics send this number to the home turf every tap you make in the App Store or Music, even when told not to send it. “Share Analytics” is basically lipstick on a pig. Doesn’t do jack shit.
If you’re interested: search for Tommy Mysk.
The only place that can help you is Linux. It DOES have an ID too (/etc/machine-id), but the difference is fundamental. That machine ID is generated from a random source during system installation or first boot - on your box, not handed down by a vendor’s server, and no company keeps a copy.
The manual itself says it should be considered “confidential”, and must not be exposed in untrusted environments, in particular on the network.
Don’t like it? rm the file, reboot, and you got a new one.
No OS-level phone-home by default.
Caveat though: the OS isn’t watching in this case, but the apps you install (Chrome, Spotify, a Google login) still phone home on any OS.
Which ties me to my article from yesterday, as this becomes so much more than a self-incriminating teenager. And where things go with the EU, so they go with the US. Just you wait!
A persistent identifier tied to a real person is personal data under EU law.
There’s no debate even anymore about that. The European Court of Justice settled it years ago, ruling that even a dynamic IP address counts, as long as whoever holds it has a realistic way to link it back to you.
A device ID, plus years of IP history, plus three linked accounts, is well past realistic.
Windows telemetry has already lost this fight here.
Twice.
The Dutch regulator found the collection unlawful in 2017, forced changes, then came back a year later and found Microsoft still running “new, potentially unlawful” processing.
They did updates. Turned out they were doing the wrong homework. I’m sure it’s all a conspiracy theory…
Another government-commissioned assessment went even further: there’s absolutely NO legal basis for most of the diagnostic data, and even worse if you’re forced to use Windows at work, you can’t say the employee consented, because an employee can’t very well tell their employer they’d rather not use Windows today.
Hesse banned Office 365 from its schools outright. Seems children can’t consent to being exposed to possible access by US officials.
So the collection is already on thin ice in the EU. But nothing changed in the decade since this came to light.
But wait… There’s more… There’s always more… This gathered data doesn’t even stay in the EU. It goes straight to the servers in the United States. I mean, I trust the US more than I would trust China or Russia, but it’s a very close competition…
In 2015 the EU struck down “Safe Harbor” because data in the US was gobbled up immediately by the intelligence services once the data landed.
Now they’re calling it “Privacy Shield”. Sounds fancy. Sounds trustable. Struck down in 2020, same reasonings. (and I paraphrase: “the US is not trustworthy with our plebs data”)
So not to be deterred - and to employ at least some creative talent - they came up with a new name: “the EU-US Data Privacy Framework” (born 2023). Copy/pasted the whole damn thing, adjusted the font.
It’s basically Microsoft self-certifying, promising that the American body overseeing this, the FTC, is independent enough that Europe can trust it.
I’m guessing Peter has some objections right about now.
The US Supreme Court ruled a bit ago that the president can fire FTC commissioners whenever he likes, no cause required.
That decision that the US’ protection is “adequate” leans on that independence. Repeatedly. Which is kind of awkward when the decision is in the hands of just one person.
Max Schrems noticed. He tends to. The Austrian who killed the previous two frameworks wrote to the Commission the day after, arguing the ground under this one had gone the way of the dodo.
He’s now filing a third challenge. People are already calling it Schrems III, at this point less a lawsuit than a release cycle.
The redress side is even worse.
The thing meant to let an ordinary European complain when their data is misused runs through a “Data Protection Review Court”, which sounds pretty judicial but ain’t.
It’s just an office inside the US Justice Department, set up by executive order, and its judges are appointed by the Attorney General and removable by the president. Yup, the same one that can fire FTC commissioners.
“Independent”, right?
The current administration already fired all Democratic members early last year, leaving it short of the numbers to rule on anything at all.
The complaints desk was already broken for over a year before the enforcement desk tripped over its own laces this week.
None of this will be switched off tomorrow.
Adequacy decisions die slowly, in court, over time, much like the last two.
The lawyers are now saying what they said before the last two failed: don’t panic, keep the paperwork current. Courts in the meantime, start to notice those recurring plots. Even they get it by version three.
Stokes wasn’t caught because the system has a flaw. He was caught because it works exactly as built, and it was never built to ask first. It was built to know.
That GDID is the ONE identifier that survives a VPN, a proxy, a new IP, a new country… It was carefully built on illusions.
It survives right up until you wipe the disk. And even then Microsoft keeps the old number, because deleting history is hard and keeping it is easy.
The hacker was only the first name on the list.
I’m pretty sure Microsoft will get busy with court requests after govs find out about this VPN-busting method of pinpointing dissidents.
Niemöller never had a device ID.
Lucky bastard.
My other publications:
[Daily Digest] → The news in 5 minutes, without the forty open tabs.
[Portfolio] → What I do with my own money






Too bad, but I personally wouldn't call a windows user a hacker, ever.
This stuff (cybersecurity) is my area of expertise, so a few remarks.
1) Don't mess with your GDID. In the wake of this case, you'll probably encounter well-meaning scripts and guides how to change it, etc. Just don't. It is needed for Windows Updates (this was its original purpose) and if you mess with it, you can fuck up your system pretty bad.
2) Don't use ngrok for anonymity. Or VPNs, for that matter. A VPN has only two valid use cases: a) when you don't trust your Internet service provider (ISP) *and* trust the VPN provider more and b) when you want to mask your geographical location, in order to visit a site that does not allow visits from your area. If you want anonymity, use the Tor browser. Not the Tor window of the Brave browser - the actual Tor browser.
3) For really heavy stuff, when your life or liberty depends on it, don't use your operating system. Not Windows, not MacOS, not even one of the popular Linux distros. Use TAILS. It's a Linux distro made for privacy and anonymity, with the Tor browser and other tools installed. Preferably, boot it from a USB stick (or a DVD), although using it from a virtual machine is acceptable. There are valid alternatives, like using the Whonix distro, but they are harder to set up and use.
4) Don't use smart phones. Ever. Not even "burner" phones. Don't ever turn your (not smart) mobile phone anywhere close to the place from which you're going to do something you could be persecuted for.
Of course, what precautions you really need largely depends on your threat model. If your adversary is Mossad (or equivalent), well... Try faking your own death, go live in a submarine, and you'll still be mossaded upon, as the famous saying goes.