The Department of Justice, with the help of the FBI and Finland's National Bureau of Investigation, has arrested a teenager it says is part of Scattered Spider. 19-year-old Peter Stokes is a dual U.S.-Estonian citizen who was trying to board a flight to Japan from Helsinki, when law enforcement caught up with him. Microsoft's GDID also played a part in the Stokes being apprehended. The accused is now awaiting trial, having been charged with conspiracy, cyber intrusion, and fraud.
GDID stands for Global Device Identifier; it's a unique identifier assigned to every Windows install that tracks device-specific telemetry. It's the reason why sometimes changing a major component in your PC can revoke your Windows license. Anyhow, the court documents from the case reveal that Stokes used Windows, from which investigators were able to link his physical hardware to specific internet activity and locations.
From what we can tell, GDID pretty much had a comprehensive report on Stokes ready before the prosecution even built its case and it was only a matter of connecting the dots. Stokes' web activity, videogame history, IP addresses, tool usage (including Ngrok), Azure status, and more were logged with timestamps, and were provided to the investigators by Microsoft.
I know I am preaching to the choir here, but DON'T use Windows. Insane how much data they collect.
