{"id":18054,"date":"2026-07-17T11:27:42","date_gmt":"2026-07-17T18:27:42","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=18054"},"modified":"2026-07-17T11:27:42","modified_gmt":"2026-07-17T18:27:42","slug":"microsoft-stamped-a-secret-number-in-your-windows-pc-a-vpn-cant-hide-it","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/07\/17\/microsoft-stamped-a-secret-number-in-your-windows-pc-a-vpn-cant-hide-it\/","title":{"rendered":"Microsoft Stamped a Secret Number in Your Windows PC. A VPN Can\u2019t Hide It."},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">This is the veil coming off, Microsoft has a unique identifier on Windows installations that is getting reported with your activity via telemetry. And Microsoft didn&#8217;t wait for the government to contact them, but put things together and contacted the government. Who works for whom? And running your own DNS server that blocks Microsoft telemetry servers won&#8217;t work as I believe I saw a security video that showed Microsoft was hardcoding telemetry IP addresses. It&#8217;s looking like Windows is more of a spyware platform than any of us thought. Consequently, switch to Linux or if you still need Windows for something run it in a VM or dual boot. Don&#8217;t feed the beast.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/reclaimthenet.org\/microsoft-stamped-a-secret-number-in-your-windows-pc-a-vpn-cant-hide-it\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/reclaimthenet.org\/microsoft-stamped-a-secret-number-in-your-windows-pc-a-vpn-cant-hide-it<\/a><\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_a73330ad-ab81-4e5e-abf1-56c5ab468b15\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<h5 class=\"wp-block-heading\">The tool that caught a genuine hacker ships identically on the machine of every innocent user.<\/h5>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/media.reclaimthenet.org\/2026\/07\/R3XJ3Ow7wmkl-1024x576.jpg\" alt=\"Microsoft Stamped a Secret Number in Your Windows PC. A VPN Can\u2019t Hide It.\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">By Christina Maas<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A 19-year-old held a fan of hundred-dollar bills over his face and posted it to Snapchat. Days earlier, he had sent friends a photo of an Estonian police station with the caption \u201cFeel like raymond reddington season 1 episode 1 rn,\u201d a nod to the TV villain who walks into FBI headquarters and surrenders. Later came the taunt that would not age well. \u201cFeds dont know what they just fumbled,\u201d he wrote.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The feds knew. They had known for more than a year. And the thing that gave Peter Stokes away was not a slip, a snitch, or a cracked password. It was his laptop, running Windows, doing exactly what Microsoft built it to do.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Stokes, a dual citizen of the United States and Estonia who lived in Tallinn, was arrested in Finland as he tried to board a flight and extradited to Chicago to face charges tied to the hacking crew known as Scattered Spider.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The government accuses the group of more than 100 network intrusions since 2022, more than $100 million in ransom payments, and a string of attacks on companies that read like a corporate hall of fame.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Prosecutors say Stokes helped break into a luxury-jewelry retailer, steal its data, and demand roughly $8 million in cryptocurrency. The company refused to pay and still lost at least $2 million cleaning up the mess.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">None of that is the reason cybersecurity researchers, privacy engineers, and a fair number of ordinary Windows users spent the week staring at a court filing. The reason is a single string of characters buried in the FBI\u2019s complaint, a number most Windows owners have never heard of and cannot find on their own machines.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>We obtained a copy of the complaint for you <a href=\"https:\/\/media.reclaimthenet.org\/2026\/07\/CsTTQ44AVr4G.pdf\">here<\/a>.&nbsp;<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft calls it the Global Device Identifier. The GDID is how a criminal who did almost everything right still got caught, and it is sitting on your computer right now.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The one thing a VPN cannot hide Stokes was not sloppy about anonymity. He routed his activity through a VPN, a virtual private network, which is the standard tool for hiding where you really are online.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A VPN swaps out your real IP address, the numeric label your internet connection carries, for one belonging to the VPN company\u2019s server. Websites see the server, not you. Your internet provider sees encrypted traffic to the VPN, not the sites you visit. Used well, it is a genuine shield, and it is the same shield relied on by journalists protecting sources, activists under hostile governments, and abuse survivors hiding from stalkers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The VPN did its job. What it could not do was change the identity of the machine behind it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to Microsoft, a Global Device Identifier is \u201ca persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Plainly stated, when Windows installs itself on your computer, it stamps that installation with a serial number and reports home. That number rides along with telemetry, the steady stream of diagnostic and activity data Windows sends to Microsoft\u2019s servers. It does not care what IP address you are wearing that day. It follows the installation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft told the court the identifier \u201cremains consistent across Windows operating system updates on a device.\u201d Reinstall Windows and you get a fresh GDID, but the old one does not vanish from Microsoft\u2019s records. The company keeps it, and it can still be matched to the device it came from. You cannot log out of it. There is no settings toggle to switch it off. You were never asked.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here is what that meant for Stokes, told through the government\u2019s own timeline. To break into the jewelry store, the hackers installed a tool called ngrok on the company\u2019s servers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ngrok creates an encrypted tunnel that punches through a network\u2019s defenses, letting an outsider reach machines that should be unreachable. The complaint says the crew used it \u201cto circumvent Company F network defenses and enable persistent unauthorized access to the Company F data center,\u201d then siphoned data out through that tunnel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Setting up ngrok required creating an account. That account was created on May 12, 2025, from a VPN proxy address ending in .168. The VPN hid the human. It did not hide the Windows installation. Microsoft\u2019s records showed that at the exact minute the ngrok account was born, a device carrying the GDID g:6755467234350028 visited ngrok\u2019s signup page.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Three hours later, the same device browsed to the jeweler\u2019s own website from the same proxy. The machine that set up the attack tool had a name, even while its owner did not.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">From a serial number to a face<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A device identifier is worthless to investigators until they can attach it to a person. This is where the GDID stopped being a technical curiosity and became the spine of the case.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because the identifier travels with telemetry, Microsoft could hand the FBI something a VPN can never scrub, a running history of the IP addresses that device had used over months. Investigators took that history and laid it beside the login records for accounts they already believed were Stokes\u2019s, his Snapchat, his Facebook, two Apple accounts, and his login for the online game Growtopia.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/media.reclaimthenet.org\/2026\/07\/mgvWfspfd2aS.jpg\" alt=\"Flowchart showing RDP logs associated with various returns from Snapchat, Apple, and Microsoft, with IP addresses listed.\" class=\"wp-image-242377\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On June 4, 2024, the GDID device used an IP address in Tallinn. That same address logged into Stokes\u2019s Snapchat and Facebook within hours. In November 2024, the device surfaced on a New York IP address. State Department travel records put Stokes in New York on those exact dates, and his own Snapchat photos placed him at the Four Seasons and the Waldorf Astoria, plus a UFC fight in the city on November 16.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The device later visited the website of the Empire Hotel in New York, and prosecutors say the carpet and furniture in one of Stokes\u2019s Snapchat selfies match an Empire Hotel suite. By February 2025 the device was in Thailand. So was Stokes, posing with a \u201cWALDORF ASTORIA BANGKOK\u201d water bottle.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The government needed a device that announced itself everywhere it went, and a young man who could not stop photographing his own luxury travel. The GDID was the thread that stitched a proxy-shrouded ngrok account to a real human being who kept posting his location to social media.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is a police success story, and an honest account has to say so. The alleged victims here are not dissidents. They are companies extorted for millions by a crew that, by the government\u2019s count, has caused more than $100 million in harm. Stokes was not silenced for his politics. He is accused of serious crimes, charged through a process that produced warrants, subpoenas, and a 39-page affidavit a judge reviewed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That is exactly why the case drew the attention of people who read the filing closely. The tool that caught a genuine criminal is a standard feature of the operating system running on more than a billion machines, including yours. Nothing about it is aimed only at criminals.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What the law does, and does not, require<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The legal scaffolding around all this reveals how little friction stands between a device on your desk and a file in some unknown office.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The charges against Stokes run through the Computer Fraud and Abuse Act, the main US anti-hacking statute, which criminalizes accessing a computer without authorization and doing damage or extortion once inside. That part is uncontroversial.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hacking a jeweler and demanding $8 million is a crime in every telling.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The revealing part is how investigators gathered the evidence. Microsoft did not wait for a knock. According to the complaint, the company proactively referred Stokes to US authorities in October 2024, more than a year before charges were filed, naming its internal suspect \u201cspencer\u201d as a \u201clikely operator for Octo Tempest,\u201d the company\u2019s own name for Scattered Spider, and assessing his \u201clikely true name Peter Stokes.\u201d Microsoft volunteered a name, a city, and a theory of the crime before anyone served it with anything.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When the government did use legal process, the tools were routine. Prosecutors obtained a \u201creverse\u201d order under a provision of the Stored Communications Act, section 2703(d), targeting two Tallinn IP addresses.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A reverse order flips the usual question. Rather than asking a provider what a known suspect did, it asks the provider to identify every account that touched a given address, then hand back the associated addresses. Microsoft complied and returned more IP addresses linked to Stokes. Search warrants covered the rest.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The doctrine that makes this frictionless is decades old and rarely questioned by the courts. Under the third-party doctrine, information you voluntarily hand to a company generally loses Fourth Amendment protection, on the theory that you have no reasonable expectation of privacy in data you have already shared.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Supreme Court cracked that logic in 2018 in <a href=\"https:\/\/reclaimthenet.org\/geofence-warrants-fourth-amendment-supreme-court\">Carpenter v. United States<\/a>, ruling that police need a warrant for the detailed location histories cell carriers keep. Whether a persistent device identifier and its trailing IP history fall under Carpenter\u2019s protection, or slip through as ordinary business records, has not been tested. A defendant like Stokes, facing overwhelming evidence, is not the person who will test it. The law here is not settled. It is simply unchallenged.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The third-party doctrine turns on one word, voluntarily. The theory assumes you chose to share. You did not choose the GDID. You cannot see it, cannot delete it, and were never asked to agree to it. The legal justification for treating this data as fair game rests on a consent that never happened.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Defenders of the arrangement make a fair argument, and it deserves its strongest form. Modern operating systems need diagnostic data to patch security holes, fix crashes, and detect the very malware Scattered Spider deploys. A stable device identifier helps Microsoft tell one machine from another when it ships those fixes and hunts those threats. The same telemetry that unmasked Stokes also powers defenses that protect millions of people who will never be accused of anything. And Microsoft is far from alone. Apple, Google, and the rest can almost certainly fingerprint the devices running their software too.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That is all true, and all beside the point that should worry you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft can identify a hacker. It can also identify anyone else, silently, by default, with no notice and no off switch, and pass that identity to third parties. A capability built to catch the worst users exists identically on the machine of the best. It does not check your intentions before it stamps your installation and starts logging. The nurse, the labor organizer, the reporter meeting a whistleblower, the teenager exploring a stigmatized question, all carry the same invisible number, generating the same trailing history, sitting on the same servers, available under the same routine orders.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The design is deliberate. It is a permanent identifier, tied to your hardware, reporting your activity, retained after you wipe the machine, and mentioned once in a document written to be ignored. Persistence, invisibility, and retention are features, and each one is what made the evidence against Stokes possible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The slippery slope here is not hypothetical hand-waving, because the same architecture already serves ordinary law enforcement through reverse orders that scoop up everyone near an address. Extend that from a Tallinn IP block to a protest, a clinic, a mosque, or a newsroom, and the device that follows you everywhere becomes the witness that places you there.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Anonymity is the precondition for a source to talk to a journalist, for a dissident to organize, for a person to read about a diagnosis or a faith or a politics without a permanent record forming somewhere they cannot reach. The same tool that identifies a hacker identifies a demonstrator.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">None of this makes Stokes sympathetic. It makes him instructive. His case is the rare moment when the machinery is described in open court, in specifics, with device numbers and timestamps, before it disappears back into the routine of proactive referrals and sealed orders. He showed us the tool by being careless enough to get caught by it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What you can actually do<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The honest bottom line is uncomfortable. A VPN, the tool most people are told to trust for privacy, did nothing to stop this. It protected the network path and left the device fully identified. Anyone relying on a VPN alone to be anonymous on Windows is protecting the wrong end of the connection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The real fixes are structural, and they are the ones to demand. Microsoft could document the GDID in plain language, tell users it exists, and give them a way to see it and switch it off. Regulators, especially in Europe where Stokes lived and where data-protection law is strongest, could ask how a persistent, non-consensual device identifier squares with rules that require informed consent for exactly this kind of tracking. Courts could finally test whether a device\u2019s IP history deserves the warrant protection Carpenter extended to phone location data. None of that happens without pressure, and pressure does not come without people knowing the identifier is there.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The only way to fully escape a proprietary operating system\u2019s device identifier is to stop running a proprietary operating system. Open-source systems like Linux, whose code anyone can inspect, do not ship a hidden number that phones home to a single company. That is a heavy lift for most people, and pretending otherwise would be dishonest.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Peter Stokes will have his day in court, and the evidence against him looks formidable. The number that caught him will not be on trial. It will keep running on a billion machines whose owners never agreed to carry it, generating the same history, waiting for the same routine order. He thought a VPN made him invisible. He was wrong, and so is everyone else who assumes the same. The thing that saw him is watching all of them, and almost no one knows its name.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the veil coming off, Microsoft has a unique identifier on Windows installations that is getting reported with your activity via telemetry. And Microsoft didn&#8217;t wait for the government to contact them, but put things together and contacted the government. Who works for whom? And running your own DNS server that blocks Microsoft telemetry [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-18054","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/18054","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=18054"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/18054\/revisions"}],"predecessor-version":[{"id":18055,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/18054\/revisions\/18055"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=18054"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=18054"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=18054"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}