The FBI traced an alleged Scattered Spider hacker through a persistent Windows device identifier that prosecutors used to connect accounts across multiple platforms. Court documents unsealed in federal court show Microsoft records linked a device ID to accounts used during a May 2025 intrusion at a luxury jewelry retailer, then connected those same accounts to Peter Stokes, 19.

Prosecutors used the Windows device identifier as a linchpin in their investigation. The device ID persisted across the attacker's infrastructure, allowing federal investigators to map connections between the accounts used to maintain access during the breach and online identities tied to Stokes. This technical linking proved sufficient for prosecutors to file charges in the case.

Scattered Spider, also tracked as UNC3944 by security researchers, operates as a cybercriminal collective known for targeting hospitality, technology, and retail sectors. The group uses social engineering and credential harvesting to gain initial access, then maintains persistence through compromised accounts.

The reliance on Windows device identifiers in this investigation underscores how persistent system artifacts can become evidence in digital forensics. Unlike IP addresses or usernames that attackers can rotate or spoof, device IDs remain tied to specific hardware configurations. When an attacker uses the same device across multiple accounts or services, that consistency creates a forensic trail.

For organizations, this case reinforces the value of monitoring device identifiers and correlating them with suspicious account activity. Security teams can detect anomalies by tracking when unusual device IDs access sensitive systems or when legitimate device IDs exhibit behavior inconsistent with their normal patterns.

The case also highlights investigative challenges for actors attempting to cover their tracks. Even when using compromised accounts or proxy infrastructure, forensic overlaps between attack accounts and personal identities can expose operational security gaps. Stokes now faces federal charges related to the jewelry retailer breach.