The End of the Era of Anonymous Domain Names
The GDID Digital Footprint and the Collapse of Scattered Spider

The apprehension of 19-year-old Peter Stokes, a dual US and Estonian citizen, reads like a plot from a techno-thriller. A flight from Finland to Japan ended in an encounter with law enforcement acting on data provided by Microsoft. Stokes is suspected of affiliation with Scattered Spider—a collective that has earned a reputation as one of the most dangerous players in the cybercrime landscape. Operating under aliases such as Octo Tempest or UNC3944, the group specializes less in hunting for code vulnerabilities and more in exploiting the human element through sophisticated social engineering.
The scale of Scattered Spider's operations is staggering: according to the US Department of Justice, the total ransom payments collected by the group have exceeded $100 million. A pivotal episode occurred in May 2025 during an attack on a luxury jewelry dealer in the United States. The perpetrators employed a classic yet effective tactic: using Google Voice, they contacted the company's IT support desk, impersonating employees. The manipulation worked—support reset the credentials, granting the attackers access to three accounts, two of which held administrative privileges. This resulted in the seizure of critical data and a ransom demand of $8 million in cryptocurrency.
Although the company managed to restore its infrastructure without paying the ransom, indirect losses stemming from business downtime amounted to approximately $2 million. It was this specific incident that triggered the detailed tracking of digital footprints, eventually leading investigators to Stokes. The decisive factor in this process was the GDID (Global Device Identifier).
GDID is a unique global identifier assigned to every Windows installation. This mechanism is designed for telemetry collection and system health monitoring, which explains why Windows licenses are often revoked when key hardware components are replaced—the system simply ceases to recognize the device. However, for the FBI, the GDID became the perfect "digital anchor," allowing them to link specific physical hardware to network activity and the user's geographic location.
Investigators gained access to a comprehensive report documenting timestamps of web activity, video game usage history, IP addresses, and the use of specialized toolsets, including Ngrok—a service for creating secure tunnels frequently used by hackers to bypass firewalls. Even activity status on the Azure cloud platform became part of the evidentiary base. In effect, the operating system maintained a continuous log of the user's actions, which was subsequently handed over to law enforcement.
This precedent has sent shockwaves through the cybersecurity and human rights communities. It demonstrates just how invasive modern software telemetry can be. What was long perceived as redundant data collection for "improving user experience" has proven to be a powerful forensic tool. The situation is exacerbated by the fact that Microsoft has already demonstrated a willingness to cooperate with government agencies regarding data access—for instance, providing BitLocker encryption keys under court order.
Consequently, the Scattered Spider case highlights a new reality: in an era of total telemetry, anonymity is becoming virtually unattainable for users relying on proprietary systems. The line between OS functionality and surveillance has irrevocably blurred, turning every device into a potential witness against its owner.

