A US federal complaint revealed how the FBI used Microsoft's barely documented Global Device ID to trace an alleged Scattered Spider member through his VPN. Proton says the identifier raises hard questions about consent and who really controls the hardware you pay for.
Proton, the Swiss company behind Proton VPN and Proton Mail, published a blog post on July 7 arguing that the Windows Global Device Identifier (GDID) is fresh proof that Microsoft's operating system behaves like spyware. The trigger was a federal criminal complaint that surfaced this month, describing how the FBI used the identifier to unmask an alleged member of the Scattered Spider hacking group despite his use of a VPN.
The suspect, 19-year-old Peter Stokes, a dual US-Estonian citizen, was arrested in Finland while trying to board a flight to Japan and later extradited to the United States. He made his first court appearance in Chicago on June 30, 2026, and faces conspiracy, computer intrusion, and fraud charges in the Northern District of Illinois. He is presumed innocent pending trial.
The complaint centers on a May 2025 intrusion at "Company F," an unnamed luxury-jewelry retailer. According to the FBI affidavit, attackers phoned the retailer's IT help desk, posed as locked-out employees, and talked staff into resetting passwords and multifactor authentication, then used the tunneling tool ngrok to keep access to the company's network. Prosecutors tie Scattered Spider as a group to more than 100 corporate intrusions and over $100 million in ransom payments.
The investigative pivot came from Microsoft. According to the affidavit, Microsoft records showed that a specific GDID accessed ngrok's signup page at the exact minute the account used in the attack was created, on May 12, 2025. A Microsoft representative, quoted in the affidavit, described the GDID as a "persistent, device-level identifier designed to uniquely identify an installation" of Windows, on physical machines and virtual ones alike.
Knowing the GDID gave the FBI something a VPN cannot hide, a history of IP addresses the device had used over time. Investigators cross-referenced that history against logins to Apple, Snapchat, Facebook, and Growtopia accounts attributed to Stokes, and matched the locations, including Tallinn, New York, and Thailand, against State Department travel records and the suspect's own social media posts.
Proton's objection is not that the FBI used lawful process. The company concedes the system worked as intended here, through court orders and subpoenas. Its argument is about everyone else. Users are never asked to consent to the GDID, Proton says, there is no straightforward way to remove it, and reinstalling Windows only generates a new identifier while the old records remain in Microsoft's systems. Proton says it found exactly one mention of GlobalDeviceId in Microsoft's public documentation, buried in an obscure Azure Monitor reference page.
There are caveats. Tom's Hardware reported that the court documents do not specify which telemetry mechanism uploaded the data, and that URL-level telemetry of this kind likely requires the Optional or Full diagnostic data setting rather than the default. It is notable that Apple maintains comparable device identifiers and that Linux systems carry a machine-id of their own, which complicates the idea that switching operating systems is a clean escape. Proton itself acknowledges that macOS, Android, and iOS can almost certainly identify devices uniquely, and recommends open-source systems such as Linux for those unwilling to accept that. Proton, which sells VPN and privacy products, also has an obvious commercial stake in this argument.
Get the ICD Newsletter
Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.