Windows Device ID Linked Alleged Hacker to Jewelry Store Breach
Federal prosecutors linked an alleged Scattered Spider hacker to a network intrusion at a luxury jewelry retailer using a persistent Windows device ID, according to a newly unsealed federal complaint filed in the U.S. District Court for the District of Massachusetts. Microsoft records, obtained by the FBI, tied the unique device ID first to the compromised account used by the attackers to maintain access during the May 2025 intrusion. This same ID was subsequently linked to online accounts that prosecutors allege belong to 19-year-old Peter Stokes.
The complaint details how the attackers exploited vulnerabilities to gain initial access to the retailer's systems. Once inside, they established persistence using the identified Windows device ID, which allowed them to maintain a foothold and exfiltrate data. The FBI's investigation, supported by Microsoft's cooperation, was able to trace the digital footprint back to Stokes through the persistent device identifier.
Scattered Spider, a hacking group known for its sophisticated social engineering tactics and focus on targeting telecommunications and IT service providers, has been linked to numerous high-profile cyberattacks. The group's methods often involve impersonating IT support to trick employees into granting remote access to corporate networks. The use of a persistent device ID represents a key piece of forensic evidence in this case, demonstrating how attackers attempt to maintain access even after initial security measures are potentially triggered.
This case highlights the critical role of device identifiers in cybersecurity investigations. Such unique IDs can provide a direct link between malicious activity on a network and the specific devices and accounts involved. The unsealing of the complaint underscores the ongoing efforts by law enforcement agencies to identify and prosecute individuals responsible for significant cybercrimes, leveraging technical evidence to build cases against alleged perpetrators like Peter Stokes.
Original source — read the full reporting at the publisher:
Read on The Hacker News