The Scattered Spider complaint includes some pretty striking details about Microsoft telemetry.
The DOJ affidavit describes a GDID (Global Device Identifier) tied to a specific Windows installation, acting as a persistent identifier unless the OS is fully wiped. Microsoft telemetry linked to this GDID reportedly included visited websites, changing IP addresses over time, and other internet activity signals collected in the background.
According to the filing, Microsoft was able to correlate this data across sessions, effectively tying together browsing activity and network connections even when IP addresses were changing through VPN use. In practice, the VPN didn’t really break the chain of correlation once everything was tied back to the same device identifier and telemetry stream.
When they say “web activity” I wonder if that means he was using Edge? Or perhaps the start menu search wasn’t turned off? (games played is likely game bar telemetry?)
It is insane to me that a hacker is using Windows with stock settings because I assume this much information isn’t transmitted with even slight amount of configuration lol, guess criminals usually aren’t very smart but wow
The suspect is 19 years old and literally took pictures of his crimes and posted them to Snapchat. So OPSEC was not strong.
With that said, the Windows telemetry which Microsoft was able to provide to the FBI is extensive and defeats all normal attempts at anonymity. I do not know if this is able to be turned off at the user level or blocked at the network level.
In anycase, make this example 3,568 of why Windows is trash.
So basically, they first tied one of IP addresses to his activity, then asked Microsoft which Windows Global Device Identifier was associated with that IP. Microsoft identified the GDID and then provided logs showing that the same GDID had visited ngrok (including the signup page), used Tzulo VPN/proxy servers (including the same exit IP used to create the ngrok account), visited Company F’s website, Growtopia/Ubisoft login pages, and that the same GDID was consistently associated with the IPs used to access his Apple, Facebook, and Snapchat accounts across multiple countries (Estonia, New York, and Thailand).
If all of this is accurate, it’s honestly pretty shocking how much information Microsoft collects.
This case really drives home how weak Windows privacy is, since a single device ID can bypass a VPN and expose your entire activity history. I’m all for fighting for strong privacy rights and security for everyone, but that shouldn’t mean using these tools to break the law or hide criminal acts. We need better protections for regular users without inadvertently aiding malicious actors.
Privacy tools are morally neutral. There is no way, on a technical level, to block malicious actors but not legitimate ones. This is something many governments continually fail to understand (looking at you UK). The proper place for investment of government energy is in helping to secure critical digital infrastructure instead of hoarding zero-days for their own surveillance purposes.
It doesn’t matter whether it’s default settings or not. There’s no way to disable this. In any case, the system collects and sends HWID/GDID to servers during updates, license checks, activation, etc.
He could use split tunneling to proxy only the necessary applications, bypassing system services, or simply use a VPN extension in the browser. Use a firewall to block unnecessary connections. Or just switch to Linux.
But, as I can see, he even had a Microsoft account, the VPN IP addresses weren’t changed, and they were used for everything, which led to a bunch of IP leaks.
Is that GDID thing sent to MS servers only when the user signs in to his/her microsoft account? Or is it force sent regardless of whether the Windows installation is tied to an account?
He probably left telemetry enabled, and I believe he was using Edge with SmartScreen. But the fact that Microsoft tracks IPs and links them to unique IDs is concerning by itself.
You have to block the subdomains too.
If someone is willing to use the Edge browser or Windows, for example, and wants greater privacy, block all IPs and domains belonging to the Microsoft corporation and its “affiliates, partners, etc.”.
In such cases, to install updates manually (security patches, system updates, etc.) without relying on Windows Update as if you were offline, you can install them manually yourself. It may or may not require external tools. It will take a bit more time and the willingness to do it.
A teenager allegedly used a VPN to cover his tracks while hacking a US jewelry retailer, but Microsoft knew anyway.
Court documents unsealed in the US case against Peter Stokes, a 19-year-old dual US-Estonian citizen accused of being a member of the notorious Scattered Spider hacking group, reveal that Microsoft provided the FBI with records tied to a tracking mechanism called the Global Device Identifier, or GDID.
- DIGITAL TRENDS
The identifier, which is automatically assigned to every Windows installation, was enough to link Stokes’ computer to specific websites and third-party services, even though he was running a VPN.
I feel like there isn’t enough attention pointed to the fact that, in the report, point 26, Microsoft records had a log of the exact URL he was on when creating the account? It is a https website, but they specifically knew that he was on ngrok dot com / signup, not just ngrok dot com. This could be explained pretty easily by “He was using Edge browser and had all the telemetry settings on which sent all the URLs he visited to microsoft defender which in turn logged every single site he was accessing with a timestamp” rather than “Windows is indefensibly spying on every single URL you visit no matter what measures you take”. I know that the court document isn’t a technical report by any means but there’s probably a reason they were very vague with the details but went out of their way to bring up some OS ID that no one has ever heard of.
“eteszi”'s claim of “There’s no way to disable this.” also seems a bit far fetched to me considering this could very well be a setting you can disable in the windows settings GUI, a setting that O&O10 would block with the default “yes” settings, or something you could easily evade by having something akin to simplewall set to block by default and interactively allowing applications to use the internet.