NEWS
The Windows Identifier That Caught a Hacker Cannot Be Turned Off
A persistent Windows identifier called GDID helped the FBI track a Scattered Spider hacker across four countries, and Microsoft admits it cannot be disabled.
A single string of digits buried in the Windows registry followed an alleged hacker through proxy servers and four countries for roughly eight months. Microsoft could not have switched it off even if it had wanted to.
The identifier is called the Global Device Identifier, or GDID, and the company confirmed its existence for the first time in a federal complaint against an alleged member of Scattered Spider, a hacking collective prosecutors blame for more than $100 million in ransom payments. The same mechanism that helped catch him is running quietly on nearly every other Windows PC on the planet, with no consent screen and no switch in Settings that turns it off.
A Registry Key Called LID Holds the Whole Story
Microsoft describes GDID as a permanent identifier assigned the moment Windows provisions against a Microsoft Account, generated by a chain of services most Windows users have never heard of.
The Microsoft Account service, wlidsvc, requests a Device PUID, short for Passport Unique ID, from login.live.com. The Connected Devices Platform then registers that value into Microsoft’s own Device Directory Service. Delivery Optimization, the feature that lets nearby PCs share update files with each other, reports the GDID back to Microsoft’s servers every time it does.
Microsoft’s own scale makes the stakes clear. The company told investors this spring that Windows now reaches 1.6 billion monthly active Windows devices, and GDID exists on any of them signed into a Microsoft Account.
The number itself sits in the registry at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties, under a key named LID, written as the letter g followed by a long decimal string. Prosecutors cited the value g:6755467234350028 more than a dozen times in the Stokes filing. It survives ordinary Windows updates but resets after a full reinstall, and Microsoft’s own footnote in the complaint concedes that a single account can carry more than one GDID over its lifetime.

How Did the FBI Use the GDID to Catch Peter Stokes?
Investigators matched the GDID g:6755467234350028 to an ngrok account opened through a Tzulo VPN proxy on May 12, 2025, then found the same identifier reaching a jewelry retailer’s website three hours later. Cross-referencing that device against Stokes’s Snapchat, Facebook, Apple and Ubisoft logins across Estonia, New York and Thailand closed the case.
At 19:21 UTC that day, Microsoft’s records show the device visited ngrok’s signup page, the exact minute an account tied to the intrusion was created through a proxy run by the VPN provider Tzulo. Three hours later the same identifier reached the site of the retailer prosecutors call “Company F,” a luxury jewelry dealer in the United States.
The attackers had spent three days working the retailer’s IT help desk, calling from spoofed Google Voice numbers and posing as locked-out employees to get three accounts, two with administrator access, reset. From there they used ngrok, a legitimate tunneling tool developers use to reach systems behind firewalls, and a file-transfer tool called Teleport to move roughly 77 gigabytes of data, then demanded $8 million in cryptocurrency. The retailer refused and absorbed roughly $2 million in cleanup costs instead.
None of Stokes’s VPN hops mattered once investigators had the device. The GDID kept surfacing on the same IP addresses as his personal accounts, no matter which proxy sat in between.
- June 2024: The GDID-linked device connects from Tallinn, Estonia, matching activity investigators later tie to Stokes’s home city.
- November 2024: The same device surfaces in New York City, alongside logins to accounts prosecutors attribute to Stokes.
- February 2025: It appears again in Thailand, corroborated by State Department travel records.
- May 12 to 15, 2025: Attackers breach the jewelry retailer, exfiltrate data and demand an $8 million ransom the company refuses to pay.
- April 10, 2026: Finnish police arrest Stokes at Helsinki’s airport as he tries to board a flight to Japan, seizing two 2 terabyte hard drives.
- June 30, 2026: Stokes makes his first court appearance in Chicago following extradition.
Stokes’s own social media did the rest of the work. He posted photos of stacks of cash and diamond chains with a message reading “HACK THE PLANET,” and investigators matched a hotel room selfie to a New York booking tied to the same IP address as his GDID.
No Consent Screen, No Reset Button
Apple and Google both build persistent device identifiers into their operating systems too. The difference, according to researchers who examined the Stokes filing, is what happens before and after.
| Platform | Consent Before Assignment | User-Facing Reset |
|---|---|---|
| Windows (GDID) | None; assigned automatically at Microsoft Account sign-in | No dedicated control; only a full reinstall issues a new value |
| iOS (advertising identifier) | App Tracking Transparency prompt required | Visible reset available to the user |
| Android (advertising ID) | Comparable permission control | Comparable reset provided |
Apple also maintains a separate hardware UUID and an iCloud-linked DSID beyond its resettable advertising identifier, and Linux distributions ship a machine-id of their own. Every major operating system keeps some form of persistent device identity for licensing and fraud checks. Windows is the one that offers no visible dial to reset it.
Turning It Off Breaks Activation
There is a reason Microsoft has never shipped a toggle for GDID. Windows setup sends hardware information to Microsoft during activation and gets identifiers back, the same tokens the system later uses for Microsoft Store access and licensing checks, a dependency Microsoft has documented in pieces for developers building non-packaged Win32 apps that register their identity against a device.
It’s impossible to prevent Windows from getting a GDID without breaking activation and UWP app[s].
Massgrave, the group behind the Microsoft Activation Scripts project, wrote that after digging into how Windows setup ties hardware information to the identifiers Microsoft issues back. Anyone who has ever lost a Windows license after swapping a motherboard has already met a smaller version of the same system.
Security Researchers Call It Surveillance Software
Reaction spread fast once the filing became public. Malware researchers at vx-underground noted that GDID device tracking played a critical role in the case despite being mostly undocumented, while Gamers Nexus, the YouTube tech review channel run by Steve Burke, posted that the outlet has little love for Windows and stays on the platform for one remaining piece of software.
Microsoft Windows is surveillance software.
Matthew Hickey, a cybersecurity researcher, wrote that in a social media post reacting to the case.
Costin Raiu, a security researcher who co-hosts the Three Buddy Problem podcast, asked on air how much similar functionality might already exist on other platforms. A privacy researcher who posts as IT Guy on X argued that Microsoft has no public policy on when it shares GDID data, no known opt-out, and no transparency report covering GDID disclosures at all.
“Glad a cybercriminal got put away, but another good reason to switch to Linux,” one user wrote on Reddit, a sentiment that repeated across threads once the case spread.
What Can Windows Users Actually Do About It?
The identifier cannot be disabled without breaking Windows activation and Microsoft Store apps, so privacy researchers point to smaller, layered steps instead. None of them erase a GDID Microsoft has already logged.
- Choose a local account instead of a Microsoft Account during setup. Windows 11 has made the option harder to find, but it is still there for anyone who knows where to look.
- Turn off optional diagnostic data under Settings, Privacy and security, Diagnostics and feedback.
- Disable personalized ads and launch tracking under Privacy and security, Recommendations and offers.
- Turn off Cloud Content Search under Privacy and security, Search, so local searches stop feeding data to Bing.
- Review and disable Activity History and related telemetry options.
- For journalism, activism or domestic abuse situations where a persistent identifier is a genuine safety risk, security researchers recommend Linux routed through Tor rather than a commercial VPN on a Windows machine.
A clean reinstall does generate a new GDID, but it is not the reset it looks like. Sign back into the same Microsoft Account afterward, and activation records, OneDrive sync and usage history give Microsoft a straightforward way to link the new number to the old one.
Stokes Awaits Trial as the Identifier Keeps Working
Stokes faces charges of conspiracy, computer intrusion and fraud in the Northern District of Illinois and is presumed innocent while the case moves through federal court. Prosecutors say he operated under aliases including “Bouquet,” “Spencer” and “Jordan” within a network also tracked as Octo Tempest, UNC3944 and 0ktapus.
Finnish police seized two 2 terabyte hard drives when they arrested him at Helsinki’s airport, and investigators have said little publicly about what else those drives might reveal about the wider network. Operation Riptide, the FBI’s broader effort against Scattered Spider, continues independent of this single case.
Microsoft has not committed to giving ordinary users a way to view, reset or refuse a GDID. Its one sentence of public documentation remains a line in an Azure Monitor reference table built for enterprise IT administrators, not for the people whose laptops generate the data. Microsoft’s own commentary around its most recent earnings call flagged that Windows OEM revenue faces tough comparisons as Windows 10 support winds down, a reminder of just how many machines are quietly carrying the same kind of tag Stokes could not shake.
Frequently Asked Questions
What Does GDID Stand For, and How Long Has It Existed?
GDID stands for Global Device Identifier. Reporters examining a developer writeup traced the underlying infrastructure back to Windows 10’s original 2015 release, though the identifier itself barely surfaced in public documentation until around 2021.
Does Switching to a Local Account Stop the Tracking?
Not entirely. Independent research into the underlying Windows code has found that the Connected Devices Platform can still generate an anonymous device identity for features like Nearby Share even without a Microsoft Account signed in, so a local account may reduce but not eliminate device-level reporting.
Did Microsoft Tip Off the FBI Before Investigators Asked?
Yes, according to the complaint. It cites an October 2024 criminal referral Microsoft made to the Department of Justice, months before the jewelry retailer attack, after the company’s own security researchers flagged telemetry they believed linked Stokes to other Scattered Spider members.
Do Apple and Google Track Devices the Same Way?
Both maintain persistent identifiers of their own. Apple keeps a hardware UUID and an iCloud-linked DSID beyond its resettable advertising identifier, and Linux distributions carry a machine-id. Researchers say the difference is that Apple and Google give users a visible way to reset the identifiers tied to advertising, and Windows offers nothing equivalent for GDID.
What Happens to GDID Data Microsoft Already Collected?
It does not go away. Researchers who tested mitigation tools on a Windows 11 virtual machine found that blocking the reporting services going forward does not erase a GDID already logged on Microsoft’s servers since the first sign-in, and there is no disclosed process for a user to request its deletion.
Does GDID Do Anything Besides Enable Tracking?
Yes. Delivery Optimization uses it to manage peer-to-peer update sharing and bandwidth between nearby PCs, and it also supports Windows activation and Microsoft Store licensing checks. Removing the identifier entirely would disrupt those legitimate functions along with any tracking use.
-
FINANCE1 month agoZcash Patched a Double-Spend Bug as ZEC Climbed 5%
-
ENTERTAINMENT1 month agoSteam Summer Sale 2026 Locks In June 25 to July 9 Dates
-
NEWS2 months agoMeta Adds AI Replies to Threads, But Users Can’t Block It
-
FINANCE1 week agoCLARITY Act Final Text Expected This Weekend as 60-Vote Hurdle Looms
-
ENTERTAINMENT2 months ago‘Widow’s Bay’ Review: Apple TV’s Sleeper Horror-Comedy Earns Its Fog
-
ENTERTAINMENT1 month agoAmazon Scraps Its Stargate Revival After a 20-Week Writers Room
-
FINANCE4 days agoFed Minutes Cite AI Demand as Inflation Risk, Put a 2026 Hike Back on the Map
-
FINANCE1 month agoCitigroup Says ETF Outflows Drove Bitcoin’s Crash, Not Strategy’s Sale
