When the Machine Betrays You
How a hidden Windows identifier tracked an alleged Scattered Spider hacker across VPNs, remote-desktop hops, and four countries — and why your VPN was never built to stop it.
A nineteen-year-old was arrested at Helsinki airport in 2026 as he tried to board a flight to Japan. According to the criminal complaint filed by the U.S. Attorney’s Office for the Northern District of Illinois, he was an alleged member of Scattered Spider — the loose collective linked to intrusions at Marks & Spencer, the Co-op, Harrods, Transport for London and Jaguar Land Rover. He had done what every threat actor is told to do: he cycled through IP addresses, VPNs and remote-desktop connections to break the link between his activity and his identity. It did not save him. Investigators followed a single value that never changed no matter which VPN he used — his device’s GDID.
The uncomfortable lesson for security teams: a VPN hides where your traffic goes. It does not hide the machine it came from. And Windows, it turns out, has been quietly labelling that machine all along.
What GDID actually is
GDID stands for Global Device Identifier. In Microsoft’s own words, cited in the complaint, it is “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device.” Technically, reporting on the case describes it as a 64-bit Microsoft Account device identifier (a “Device PUID”) minted by login.live.com the moment you sign in to Windows with a Microsoft Account. It is cached locally in the registry (reported as HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties, value “LID”) and, more importantly, registered server-side with Microsoft’s Device Directory Service through the Connected Devices Platform services, and reported via Delivery Optimization telemetry.
Three properties make it dangerous from a privacy standpoint. It is persistent — it survives updates and only changes on a full reinstall (and even then Microsoft can re-link it through account, activation and OneDrive history). It is account-bound and server-authoritative — the authoritative copy lives on Microsoft’s servers, tied to your Microsoft Account. And it is disclosable — Microsoft can hand it, and the IP history attached to it, to law enforcement under legal process.
How the reverse-tracking worked
The mechanism described in the reporting is straightforward, and that is exactly why it is effective. It runs backwards from a known identifier to a real person:
● Step 1 — Obtain the identifier. Microsoft supplied investigators, under subpoena, with the 64-bit GDID embedded in the suspect’s Windows installation and tied to his account.
● Step 2 — Pull the IP history. Because the GDID is reported to Microsoft’s servers over time, the FBI obtained a full history of IP addresses that the same device had used — regardless of which VPN sat in front of each connection.
● Step 3 — Cross-reference. Those IPs were matched against the suspect’s personal accounts — Apple, Snapchat, Facebook and gaming logins (including Growtopia) and an ngrok tunnelling account he had created through a VPN — plus hotel photos and social posts, placing the same device across Tallinn, New York, Thailand and Estonia over roughly eight months.
The VPN did its job perfectly at the layer it operates on. It obscured the network path. But every one of those connections carried the same device fingerprint up to Microsoft, and correlation did the rest. As one summary put it bluntly: “Microsoft was tracking the device itself, not the network connection.”
Why a VPN cannot protect you from this
This is not a flaw in any particular VPN product. It is a category error about what a VPN is for. A VPN operates at the network layer: it encrypts your traffic and swaps your visible IP address for the provider’s. GDID operates at the operating-system and account layer, above and independent of the network. The identifier is generated, stored and transmitted by Windows itself, so it rides through the tunnel untouched and arrives at Microsoft’s servers on the other side.
The one-line version for a board slide: a VPN anonymises the network, not the endpoint. It was never designed to anonymise the machine, and it does not.
Why this matters for organisations, not just fugitives
It is tempting to file this under “criminal gets caught, working as intended.” That misses the governance point. Any organisation whose privacy posture, employee-monitoring claims or incident-attribution model assumes “VPN equals anonymity” is operating on a false premise. A few concrete implications:
● The assumption is already wrong on your fleet. Corporate Windows devices signed in with Microsoft or Entra accounts are being labelled the same way. If your threat model treated an outbound VPN as an anonymity control, revisit it.
● Data-protection officers should note the distinction. There is a persistent device identifier being transmitted to a third party (Microsoft) with no consumer opt-out, no consent screen at assignment, and — critically — no published policy on when it is shared and no transparency reporting on those disclosures. That is a legitimate item for a privacy audit and a records-of-processing review.
● Attribution cuts both ways. The same correlation that caught an alleged intruder can just as easily de-anonymise researchers, journalists, whistleblowers or your own red team. Anyone whose safety depends on separating a device from a person should assume Windows is not a suitable platform for that.
Can you turn it off? Honestly, no
Security researchers are unusually candid here, and it is worth repeating their honesty rather than overselling a fix. As one researcher noted, it is effectively impossible to stop Windows from obtaining a GDID “without breaking activation and UWP apps.” What you can influence is future reporting, not the identity itself. Community tooling (for example the open-source no-gdid PowerShell scripts) and manual hardening focus on:
● Disabling the reporting services — CDPSvc, CDPUserSvc and DoSvc (Delivery Optimization) — which requires registry changes because they resist normal disabling;
● Blackholing the endpoints, e.g. blocking the Device Directory Service and Delivery Optimization hosts at the network or hosts-file level;
● Preferring local accounts and turning off optional diagnostics, personalised-ad and cloud-search tracking to reduce the correlation surface.
But be clear-eyed about the ceiling. In the tool authors’ own words: it “does not erase your GDID and does not make you anonymous… The past is gone. The PUID already exists server-side.” Blocking reduces future correlation; it cannot retract what has already been sent, and these mitigations break features like Phone Link, Delivery Optimization and nearby sharing. For genuinely sensitive work, the researchers’ blunt conclusion is that the reliable answer is not a registry tweak at all — it is not doing that work on Windows in the first place (a hardened Linux live environment gives you real control over what leaves the machine).
The bottom line for security leaders
The GDID case is a clean, real-world demonstration of a principle that predates it: network anonymity and endpoint anonymity are different problems, and a VPN only solves the first one. A hacker who did everything “right” at the network layer was still tracked across four countries because his operating system carried a stable name for his machine the entire time.
For defenders, the action items are modest but real: stop treating VPN as an anonymity control in policy and training; add persistent OS-level identifiers to your privacy and DPIA reviews; and decide, deliberately, which sensitive activities do not belong on a consumer Windows install. For everyone else, the takeaway is simpler — the tunnel hides the road, not the car.
Sources & further reading
Reporting reviewed for this article (July 2026). Details of the case derive from the FBI criminal complaint, U.S. Attorney’s Office, Northern District of Illinois, as reported by:
● Cybernews — Windows telemetry GDID helps arrest hacker
● Windows Latest — You can’t fully disable Microsoft’s GDID tracker
● Tech2Geek — How the hidden GDID helped the FBI track a VPN user
● IBTimes UK — Global Device Identifier: a VPN anonymity threat for firms
● GitHub — Korben00/no-gdid (mitigation tool and honest limitations)

