Hacker?Tom's HardwareWindows 11 identifier code used to track Scattered Spider perp after Microsoft shared info with FBI — 19-year-old US-Estonian hacker arrested over alleged ties to infamous extortion groupDOJ claims the group stole over $100 million across various attacks.

Replying to @sharkfie@infosec.exchange

@sharkfie ok, but like, the question still is: Who/how is this linkage connected.

Lets take 26. as an example:

According to Microsoft records, on or about May 12, 2025, at 19:21 UTC—when, according to ngrok records, the ngrok account was created—the device with the GDID accessed, among other ngrok pages, “dashboard.ngrok.com/signup,” the ngrok page to set up an ngrok account.

ngrok isn't MS & afaik isn't even Azure-hosted. I'm trying to look for a way that MS still would be able to know about the page visit for the device ID without just pulling non-anonymized browsing data from device, lmao.

Replying to @nyanbinary@infosec.exchange

@nyanbinary I read it as "the device identified by this ID" that was known to use "this proxy server", connected to ngrok dashboard.

And they probably had logs of that IP with that ID connecting for updates or just telemetry.

Reminds me of the indictment (wrong word?) RaidForums admin a few years back, with the log collection. It's fucked up either way.

Jul 6, 2026, 07:40 UTCen