A Windows Device ID Helped Trace an Alleged Scattered Spider Hacker to a Jewelry Heist

Federal prosecutors say a single hardware identifier tied a May 2025 intrusion at a luxury retailer to the online accounts of a 19-year-old.

ThreatVectr Newsdesk· 4 min read
Full-frame edge-to-edge photoreal editorial image of a darkened luxury jewelry display case at night, glass reflecting faint blue digital patterns suggesting ne
Share

Key points

  • U.S. prosecutors have charged 19-year-old Peter Stokes in connection with a May 2025 break-in at a luxury jewelry retailer, according to a newly unsealed federal complaint.
  • Investigators linked Stokes to the intrusion using a persistent Windows device ID, a unique tag Microsoft assigns to each Windows computer that signs into its services.
  • Microsoft records showed the same device ID appeared on both the attacker account used during the intrusion and personal online accounts prosecutors say belong to Stokes.
  • The case is tied to Scattered Spider, a loose group of mostly young English-speaking hackers known for tricking corporate help desks into resetting employee passwords.

A teenager left a trail his hoodie could not hide.

U.S. prosecutors have charged 19-year-old Peter Stokes over a May 2025 break-in at a luxury jewelry retailer, according to a federal complaint unsealed this week. The name of the retailer has not been made public in the filing summarised so far.

The interesting part is how they say they found him.

Investigators relied on something called a Windows device ID. That is a unique tag Microsoft quietly assigns to each Windows computer when it signs into Microsoft services, a bit like a serial number that follows the machine around online. Users do not see it. It does not change when you swap accounts.

According to the complaint, first reported by The Hacker News, Microsoft records showed the same device ID sitting behind two very different things. One was the account the hackers used to keep their foothold inside the jeweler's network during the May intrusion. The other was a set of personal online accounts prosecutors say belong to Stokes.

Same machine. Two identities. That is the thread the FBI pulled.

How did investigators actually catch him?

By asking Microsoft who else that computer had logged in as. Once the attacker signed into a Microsoft service from their own laptop, even briefly, that device ID was recorded. When agents later asked Microsoft to look up the same ID against other accounts, personal ones surfaced. Prosecutors say those accounts point to Stokes.

It is a reminder that operational security is hard. Career criminals spend years learning to keep work devices and personal devices separate. Teenagers, generally, do not.

Who is Scattered Spider?

Stokes is alleged to be part of Scattered Spider, a loose crew of mostly young, English-speaking hackers who have caused enormous damage over the last two years. Their signature move is not exotic malware. It is a phone call.

Members ring a company's IT help desk, pretend to be a stressed employee locked out of their account, and talk the support agent into resetting the password or moving the two-factor code to a new phone. It is social engineering, meaning manipulating people rather than hacking software. Once inside, they roam corporate systems, steal data, and often bring in a ransomware partner, malicious software that scrambles a company's files until a ransom is paid.

The group has been tied to intrusions at casinos, airlines, insurers and retailers on both sides of the Atlantic. Several alleged members, all in their late teens or early twenties, have now been arrested in the U.S. and U.K.

What does this mean for ordinary customers?

If you shopped at a luxury jewelry retailer in the spring, you may eventually receive a breach-notification letter. Watch the post and your email inbox for one. The complaint does not yet detail which categories of personal data were taken, or how many customer records were exposed.

In the meantime, sensible steps if you think your details sat in that retailer's systems:

  • Turn on multi-factor authentication, an extra login code sent to your phone, on any account that reuses the same email address.
  • Be sceptical of calls or emails that reference a recent jewelry purchase and ask you to "confirm" card details. That is exactly the kind of hook this data would enable.

Regulators including the FTC in the United States, and the ICO in the United Kingdom if any British customers were affected, would take jurisdiction over any formal breach notification. None has yet been published in this case.

© 2026 Threat Vectr