U.S. prosecutors have connected an alleged member of the Scattered Spider hacking group to a May 2025 intrusion at a luxury jewelry retailer using a persistent Windows device identifier, as detailed in a newly unsealed federal complaint. The device ID, recorded by Microsoft, was initially tied to accounts used by the attackers to maintain access during the breach, then later linked to online accounts belonging to 19-year-old Peter Stokes, according to court documents.

The significance of this case extends beyond the single intrusion. It demonstrates how hardware-based identifiers, which users cannot easily change, can serve as powerful forensic tools for investigators tracing multi-stage cyberattacks. The FBI's ability to connect a transient access point to a specific individual through a persistent device ID marks a notable technique in combating sophisticated criminal networks like Scattered Spider.

Technical details from the filing indicate that the Windows device ID was generated during the initial compromise and remained consistent across multiple sessions, even as attackers cycled through different virtual private networks and compromised credentials. This persistence allowed investigators to triangulate the suspect's identity by correlating the ID with other digital evidence, including email accounts and internet service provider logs.

As of the court filing, no public disclosure has been made regarding available patches or mitigations for this specific tracking vector, as the method relies on existing operating system telemetry rather than a vulnerability. However, security experts note that such identifiers underscore the tension between user privacy and law enforcement needs, particularly as device-based tracking becomes more integral to forensic investigations.

The case also casts a spotlight on Scattered Spider's operational security weaknesses. While the group has historically targeted large enterprises through social engineering and SIM-swapping, the reliance on persistent device identifiers may force a reassessment of their tradecraft. Prosecutors have charged Stokes in connection with the jewelry retailer breach, though his legal representation has not yet publicly commented.