Table of Contents
- Work in Progress
- Global Device Identifier (GDID) impacting Windows 10 and 11
- VPN traffic surveillance
- Assumptions and Questions
- From the court document
Work in Progress
This blog post is my analysis of the court document (PDF) concerning United States v. Peter Stokes, Case No. 25 CR 812. I am publishing a draft version of my analysis for initial feedback. I will make updates as I find additional facts and evidence. Unlike the majority of related, public research since the publication of this court document, I did not use generative AI to do this work. News articles and claimed "research" about this topic contain blatant, thoughtless misinformation.
This personal analysis should be read in the context of global dragnet surveillance impacting people, companies, and governments who use Microsoft (NSA) Windows 10 and Windows 11 systems. It should be understood in the context of PRISM-like programs by FVEY.
Global Device Identifier (GDID) impacting Windows 10 and 11
The court document makes clear several facts:
According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios.
A GDID is a globally unique identifier tied to the installation of Windows on a device.
Tied to a Windows installation, so not exclusive to installs that sign in with a Microsoft account. This also means Xbox.
A GDID remains consistent across Windows operating system updates on a device, but a reinstall of Windows, either on the same device or on a different device, will be tied to a new unique GDID.
If a user signs into a Microsoft account, or uses the same VPN or IP addresses, Microsoft (NSA) can more easily tie GDIDs together to a specific person. Microsoft (NSA) then also can more easily coorelate users of specific personal systems, business systems or government systems.
Microsoft documentation makes clear several other, related facts:
GlobalDeviceId is defined as "Microsoft global device identifier. This is a identifier used by Microsoft internally."
UCClientReadinessStatus includes the GDID, confirming that the GDID been around since Windows 10.
There are several required diagnostic events fields that indicate (isVpn) "Is the device connected to a Virtual Private Network?", but Microsoft does not disclose surveillance of VPN traffic in their legal/privacy statements.
This expands current, fact-based knowledge of the capabilities of Microsoft (NSA) being able to tie specific users of Windows systems together simply via IP -- since at least Windows 10, Microsoft links people to a precise Windows system, its patch level, and all system configurations.
Cybersecurity researchers at Microsoft, through the course of their job, have access to data, such as computer machine IDs, IP addresses, and malware samples associated with sophisticated cybergroups. The researchers’ function is to identify groups of hackers who appear to operate as a team/cohesive unit (i.e., an Advanced Persistent Threat or APT group).
This paragraph strongly influences the judge of this case, and us, the public, that Microsoft researchers just happen to have collected this data from passive collection techniques -- Windows diagnostic data. If this is true, then this should be broadly understood as, "Cybersecurity researchers at Microsoft, through the course of their job, have access to data, such as computer machine IDs, IP addresses, and malware samples for all Windows 10 and Windows 11 users." because they collect "diagnostic data" first, then perform analysis on that data. Or, Microsoft and the FBI are lying to a judge about the source of this evidence.
VPN traffic surveillance
Jumping back to the court document, there are three possibly alarming statements read together:
According to Microsoft records, the ngrok account was set up through Global Device Identifier g:6755467234350028 (“the GDID”)." and "According to Microsoft records, [...] the device with the GDID accessed, among other ngrok pages, “https://dashboard.ngrok.com/signup,” the ngrok page to set up an ngrok account.
Microsoft records also indicate: (1) the user of the device assigned the GDID accessed multiple sites from Tzulo servers in May 2025, including the .168 server (the IP address used to create the ngrok account) on May 12, 2025; and (2) the user of the device assigned the GDID, [...] a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
According to Tzulo records, that server is in Mount Prospect, Illinois, and that IP address is assigned to a VPN proxy service.
This indicates Microsoft (NSA) exfiltrates the destinations of VPN traffic from Windows 10 and 11 devices.
Given the above conclusions about data-linkability, Microsoft knows:
When you use a VPN from any Windows 10 or Windows 11 system.
The originating, real IPs, including LAN and WAN IPs.
The VPN egress IP, and which internet endpoints and/or URLs are visited via the VPN tunnel.
Including NSA. This level of detail is via local system logs, not only internet-based global passive adversary logs.
Assumptions and Questions
At first read, it sounded like there was a possibility that Stokes' web browssing resulted in Microsoft (NSA) obtaining full URLs of sites visited because, possibly, Stokes was using Microsoft Edge, which was not disclosed in this document. However, if full URLs are obtained by Microsoft surveillance via third-party VPN tunnels, then it's safe to assume that Microsoft can extract this level of data irrespective of the web browser. This causes serious alarm to me because, depending on how Windows provides Microsoft this data, Tor Browser may be compromised due to use of Windows 10 and Windows 11.
The phrase "globally unique identifier" was stated by the Microsoft (NSA) representative and exists in vastly more Microsoft documentation than "Global Device Identifier". Further, other documentation appears to state "global device ID", but it is not clear if this also is the GDID. If yes, then a Windows Update troubelshooting document also states: "Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service [...] relies on MSA to get the global device ID for the device. Without the MSA service running, the global device ID won't be generated and sent by the client and the search for feature updates never completes successfully."
Does Microsoft (NSA) track this granularity before or after FBI issues a legal order -- mind you, this was targeting an Estonian (EU/GDPR) citizen. Based on the statements in the court document, Microsoft (NSA) may have been investigating hacks performed by Stokes' colleagues beforehand. It's not clear what legal authority Microsoft (NSA) had in collecting Stokes' Windows device data, or, worse, is Microsoft (and thus, NSA) collecting full URLs of all HTTP traffic of every Windows 10 and Windows 11 device on the planet, by default?
What is not clear is the scope. If all of this data that Microsoft (NSA) used is solely based on "required diagnositc data", then this level of surveillance is dragnet surveillance, and no Windows 10 or Windows 11 system is secure or private. If Microsoft blended "required diagnostic data" with additional, targeted collection via valid legal authoirty, it's also safe to assume that Microsoft can reach into our Windows 10 and Windows 11 devices at any time to collect this data.
Depending on the scope of "required diagnostic data", this may affect Microsoft (NSA) enterprise customers. Is this global data collection of diagnostic data tied to the legal agreements between Microsoft and third-party companies? In other words, is full URL and VPN traffic data by enterprise users collected regardless of any assumed, contractual legal agreement?
From the court document
Below are the relavent sections pertaining to Microsoft data based on the court document (PDF).
Page 7
Section 7
As set forth below, criminal referrals from Microsoft, provider records, records from previous victim-company intrusions, and records from Subject Server 1 show that STOKES has engaged in the Subject Offenses. In addition, and more specifically, STOKES and likely other coconspirators breached Company F, a luxury-jewelry retailer, exfiltrated data from Company F, and made a ransom demand of approximately $8 million in cryptocurrency, between on or about May 12 and on or about May 15, 2025. More specifically, according to records from providers, STOKES opened an account with a provider of a secure-tunneling, data-transfer tool used to access and exfiltrate data from Company F’s computer network. STOKES created this account from a Virtual Private Network (VPN) proxy service IP address ending in .168. A Microsoft device identifier (a Global Device ID, or GDID, described below) associated with STOKES is linked to the .168 address.
Page 9
Cybersecurity researchers at Microsoft, through the course of their job, have access to data, such as computer machine IDs, IP addresses, and malware samples associated with sophisticated cybergroups. The researchers’ function is to identify groups of hackers who appear to operate as a team/cohesive unit (i.e., an Advanced Persistent Threat or APT group).
Note 1
Cybersecurity researchers at Microsoft, through the course of their job, have access to data, such as computer machine IDs, IP addresses, and malware samples associated with sophisticated cybergroups. The researchers’ function is to identify groups of hackers who appear to operate as a team/cohesive unit (i.e., an Advanced Persistent Threat or APT group). The researchers do this by identifying malicious activity (malware attacks, spear-phishing, etc.) conducted against innocent victims, and then identify the computers used to conduct the attacks. The researchers then identify colleagues of the hacker by finding other computers also accessed from the same IP addresses used by the initially identified hacker. This process enables the source’s organization to identify unique groups of hackers and then track those groups to determine new IP addresses the hackers are observed connecting to the Internet from, such as leased server IPs. This also allows the researchers to determine whether these IP addresses are being used to target victims. Microsoft’s referrals and reports related to computer intrusions—such as the report about Subject Server 1—have been reliable. In fact, multiple, similar referrals from Microsoft in this and related investigations have been corroborated by later legal process issued by the government.
Page 14
Section 14
On or December 22, 2025, the Court signed a search warrant for a storage device containing downloads from a Virtual Private Server ending in .191 (“Subject Server 1”), which Microsoft had identified as a facility used to further the Subject Offenses.
Note 9
More specifically, on or about June 23, 2025, Chief Judge Virginia M. Kendall signed a reverse 18 U.S.C. § 2703(d) order for two Tallin, Estonia IP addresses believed to have been used by STOKES, based on Microsoft records. See 25 M 60220. Such an order required Microsoft, among other providers, to search for all accounts that may have used those Tallin IP addresses and provide associated IP addresses for the accounts that did. Microsoft returns from that order show additional IP addresses that were accessed by the underlying, true IP addresses, indicating STOKES’s use of them.
Page 20
Note 10
According to Company H’s referral, the Bouquet account included two images, which, according to Company H, were purportedly of STOKES, which I have compared to STOKES’s State Department passport photograph; they do not appear to be the same individual. In addition, however, the “Bouquet” account posted an image in or about January 2023, apparently of homework, with the name “Peter William Stokes” written in the top, right-hand corner. According to a referral provided by Microsoft on October 29, 2024, Microsoft analysts assessed the email address jordanspencer@riseup.net was used by STOKES. Also, as noted above, Coconspirator A confirmed to the FBI that STOKES used the moniker Bouquet.
Page 30
Section 25
According to Microsoft records, the ngrok account was set up through Global Device Identifier g:6755467234350028 (“the GDID”). According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios. A GDID is a globally unique identifier tied to the installation of Windows on a device. A GDID remains consistent across Windows operating system updates on a device, but a reinstall of Windows, either on the same device or on a different device, will be tied to a new unique GDID.
Section 26
According to Microsoft records, on or about May 12, 2025, at 19:21 UTC—when, according to ngrok records, the ngrok account was created—the device with the GDID accessed, among other ngrok pages, “https://dashboard.ngrok.com/signup,” the ngrok page to set up an ngrok account.
Section 27
Microsoft records also indicate: (1) the user of the device assigned the GDID accessed multiple sites from Tzulo servers in May 2025, including the .168 server (the IP address used to create the ngrok account) on May 12, 2025; and (2) the 23 Thus, one Microsoft user could have multiple GDIDs. user of the device assigned the GDID, on May 12, 2025 at 22:47 UTC, a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
Page 31
Section 28a
On June 4, 2024, at 2:01 PM UTC, the device with the GDID used the IP address 91.129.97.29, geolocated to Tallinn, Estonia, where STOKES lived. On the same date, this IP address was also used to access the Subject Facebook Account at 3:21 PM UTC and the Subject Snapchat Account at 1:57 PM UTC.
Section 28b
On November 18, 2024, at 7:31 AM UTC, the device with the GDID used the IP address 207.237.190.238, geolocated to New York, New York. On the same date, this IP address was also used to access Subject Apple Account 1 at 8:34 AM UTC and the Subject Snapchat Account at 3:22 PM UTC. The device with the GDID also used this IP address on November 17, 2024 at 9:21 PM UTC. According to State Department travel records, STOKES travelled to New York, New York from November 15, 2024, and November 18, 2024. Images from the Subject Snapchat Account confirm STOKES was in New York in November 2024, including between approximately November 16 and 18, 2024. These images include ones taken from the Four Seasons Hotel New York and Waldorf Astoria New York, as well as images taken from a UFC fight that occurred in New York on November 16, 2024.
Section 28c
On November 26, 2024, the device with the GDID visited the URL empirehotelnyc.com. This is the website for a hotel named "Empire Hotel", located in New York, New York. According to State Department travel records, STOKES travelled from Frankfurt, Germany to New York, New York, on November 23, 2024, and returned to Frankfurt, Germany on November 29, 2024. On or about November 25, 2024, STOKES sent the image below via his Subject Snapchat Account. According to Empire Hotel New York’s public website, the carpet, wallpaper, and furniture match an Empire Hotel suite, as depicted below.
Section 28d
On February 2, 2025, at 2:37 PM UTC, the device with the GDID used the IP address 110.170.208.226, geolocated to Thailand. On the same date, this IP address was also used to access the Subject Snapchat Account at 7:21 PM UTC and the Subject Apple Account 1 at 9:28 AM UTC and Subject Apple Account 2 at 1:30 PM UTC. The device with the GDID also used this IP address on January 31, 2025, at 12:45 PM UTC. Confirming that STOKES was in Thailand around this time, on or about January 31, 2025, he sent an image holding a “WALDORF ASTORIA BANGKOK” water bottle; on or about February 1, 2025, he posted an image of himself captioned “WALDORF ASTORIA BANGKOK.”
Page 33
Section 29
On January 8, 2025, the device with the GDID used the IP address 213.35.168.5024, geolocated to Tallinn, Estonia, where STOKES lived, to visit the 24 According to public IP records, this IP address is assigned to “Telia Eesti AS” a major URL https://login.growtopiagame.com/player/login/dashboard?valKey=40db4045f2d8c572efe8c4a060605726. Based on my training and experience, this indicates the user logged into an online account for the game Growtopia.25 According to records from Ubisoft, this login accessed a Ubisoft account with the account identifier ACC03E1B-D54F-4EC5-BA63-68276DFF16AD (the "Ubisoft account"). On January 7, 2025, the same IP address (IP Address 213.35.168.50) was used to access Subject Apple Account 2 at 5:17 AM UTC and the Ubisoft account two minutes later, at 5:19 AM UTC. Also, the same IP address was used to access the Subject Snapchat Account, the Subject Facebook Account, and the Subject Apple Accounts on several dates from May 31, 2024, through July 16, 2025.
Page 34
Section 30
Therefore, based on my training and experience, and overlapping use of the same IP addresses by accounts and devices used by STOKES, I believe that the user of the GDID (who, as discussed above, set up the ngrok account used in the Company F intrusion) is the same person as the user of the Subject Accounts (STOKES). In addition, as explained above, the Subject Google Account was used to set up the ngrok account used in the Subject Offenses and the Subject Google Account was also used to set up the 2742 phone number’s account and the Teleport.sh accounts used in the attack. Based on my training and experience, this indicates that STOKES also operated the Subject Google Account used in the Subject Offenses.