What the Peter Stokes Case Teaches Us About Being Tracked Online — Even With a VPN

Share
A recent criminal case involving a 19-year-old alleged member of the notorious Scattered Spider hacking group has gone viral for one surprising reason: federal law enforcement investigators were able to track him across multiple countries despite his use of VPNs and changing IP addresses.
The case against Peter Stokes (U.S. v. Peter Stokes, Case No. 25 CR 812, Northern District of Illinois) has sparked widespread discussion online because of how Microsoft’s internal tracking system helped law enforcement connect the dots. And the fact that every Microsoft operating system, presumably including on mobile devices, has a Global Device Identifier (GDID) that can be used to identify you. And that made us wonder what other signals are used to track people online?
This case offers important real-world lessons about how modern device tracking works — and why simply using a VPN is often not enough to stay anonymous. Ever since the New York Times published a seminal article showing how information from data brokers can identify the location of the device you may be holding in your hand right now – and the fact that it winds up at the same location for some 8 hours or so every night – illustrated how exposed and possibly accessible we all might really be.   

How Investigators Tracked Peter Stokes Despite VPNs – Endpoint Tracking

According to the unsealed criminal complaint, Stokes allegedly used VPNs and rotated IP addresses while engaging in hacking activity for financial gain. However, investigators were still able to link his activity to a specific Windows device through something called the Global Device Identifier (GDID).
The GDID is a persistent, unique identifier that Microsoft assigns to each Windows installation. It is used for telemetry, diagnostics, and licensing purposes. Unlike a public IP address, the GDID does not change when you connect through a VPN or switch networks. It stays tied to that specific Windows installation until the operating system is completely reinstalled.
In Stokes’ case, Microsoft provided this device identifier data to the FBI pursuant to a warrant. Investigators then correlated the GDID with timestamps, account logins (including Apple, Snapchat, and Facebook accounts), and the use of tools like ngrok — allowing them to build a strong timeline even as his IP addresses changed across countries.
This is a clear example of endpoint tracking — identifying and following a device itself rather than just its network connection.

Not Just a Windows Problem: Tracking on Apple Devices

While the Stokes case at first seemed to be centered on Windows, similar (though more fragmented) tracking appears to exist on Apple devices too. Law enforcement obtained “Apple returns” as well as “Microsoft returns” through search warrants, and they received detailed connection logs showing when and from which IP addresses an Apple ID was accessed, along with lists of devices associated with the account.

Remote Desktop Protocol (RDP) Connections to Subject Server 1 – How Feds Pierced the Tallin, Estonia IP addresses to His “True IP Address”

According to the criminal complaint, Peter Stokes is alleged to have tried to hide his true location through the use of Remote Desktop Protocol, or RDP.
Federal investigators pieced together information obtained through the authority of an Order from Northern District of Illinois Chief Judge Virginia M. Kendall. Described in a footnote to the Complaint as a “reverse 18 U.S.C. § 2703(d) order for two Tallin, Estonia IP addresses believed to have been used by STOKES, based on Microsoft records. See 25 M 60220. Such an order required Microsoft, among other providers, to search for all accounts that may have used those Tallin IP addresses and provide associated IP addresses for the accounts that did. Microsoft returns from that order show additional IP addresses that were accessed by the underlying, true IP addresses, indicating STOKES’s use of them.”
Illustration from the criminal complaint:
Remote Desktop Protocol – or RDP – got cracked by the feds. Here is how it was done
The feds allege “RDP [Remote Desktop Protocol] is a method by which a user can remotely connect to a different computer and operate it as if they were physically using that computer; it is frequently used by sophisticated cybercriminals to obfuscate their IP addresses and network infrastructure.

Learning the Existence of the Microsoft Operating System Global Device Identifier (GDID) Made Us Wonder  – How Else Can We Be Tracked Online? The Answer is Plenty

Apple does not seem to have one single, always-on identifier like the Windows GDID that companies can easily use for broad tracking. Apple has deliberately designed iOS to limit fingerprinting and cross-app tracking. However, companies (advertisers, app makers, analytics firms, and data brokers) can still gather information about your device and movements through several methods.

Here’s how Information is Gathered About Your Device and its Movements – in (mostly) Plain Terms:

1. The most reliable signal on iOS: IDFV (Identifier for Vendor)

Every app developer gets its own unique ID for your device. All the apps made by the same company can share this ID. It is more stable than most other signals and doesn’t require your permission for basic analytics use within that company’s apps. It resets only if you delete every app from that developer. This is the main built-in way companies track activity across their own apps.

2. Advertising tracking (IDFA) requires your permission (?) 

Apple’s App Tracking Transparency (ATT) feature forces apps to ask before they can use your advertising ID to follow you across different apps and websites. Many people tap “Ask App Not to Track,” which significantly reduces this type of cross-app advertising tracking. In or view, we remain skeptical as to the extent this privacy feature actually works. 

3. Browser fingerprinting on Safari Should Be Heavily limited – What About the Rest?

When you visit websites, trackers normally try to create a unique “fingerprint” from details like screen size, fonts, and how graphics are rendered. Apple’s Safari browser purports to actively fight this with Intelligent Tracking Prevention and fingerprinting defenses that make many devices look similar to trackers. But then this Apple article suggests doing this to prevent website cross-tracking
Our research shows there appears to be plenty of information we broadcast when we surf the web, allowing websites and data brokers to piece together information that just might be able to track and identify each of use with precision we frankly were not really aware of until the past year or so.

Take this Tracker Test from EFF.ORG To See How Much Fingerprint Information Your Device Is Broadcasting

For many years, Torrent Defenders has relied on the mission of the Electronic Frontier Foundation (EFF) to help all of us protect our online privacy.

What is a digital fingerprint? A digital fingerprint is essentially a list of characteristics that are unique to a single user, their browser, and their particular hardware setup. This includes information the browser needs to send to access websites, like the location of the website the user is requesting. But it also includes a host of seemingly insignificant data (like screen resolution and installed fonts) gathered by tracking scripts. Tracking sites can stitch all the small pieces together to form a unique picture, or “fingerprint,” of your device.”

The EFF has produced something they call Cover Your Tracks and a link is there to Test Your Browser to let you see how this actually works. We dare you to try it and read your identity report!

4. Location data is one of the biggest sources of tracking

This is where tracking remains very pervasive. Many apps (weather, shopping, games, navigation, etc.) ask for location permission. Once granted, that data can be shared or sold. Data brokers then combine location pings from millions of phones to build detailed movement profiles — where you live, work, shop, travel, and even what types of places you visit. Studies and investigations have shown that precise location data alone can often identify individuals with very high accuracy, and it is widely bought and sold in the data broker industry.
In one example, an FTC Complaint against data broker InMarker alleged that the
InMarket SDK can receive a device’s precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device’s operating system provides it:
“One of the primary functions of the InMarket SDK is to transmit a consumer’s precise
location back to Respondent. Apps that incorporate the InMarket SDK request access to the location data generated by a mobile device’s operating system. If the user allows access, the InMarket SDK receives the device’s precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device’s operating system provides it— ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving—and transmits it directly to Respondent’s servers. From 2016 to the present, about 100 million unique devices sent Respondent location data each year….
Through the InMarket SDK, Respondent collects sensitive information from
consumers, including where they live, where they work, where they worship, where their children go to school or obtain child care, where they receive medical treatment (potentially revealing the existence of medical conditions), where they go to rallies, demonstrations, or protests (potentially revealing their political affiliations), and any other information that can be gleaned from tracking a person’s day-to-day movements. All of the above information is collected along with several identifiers (including a unique mobile device identifier). Respondent has retained this information for up to five years. “

See How Much Data Exists About You

The best way to understand how pervasive this tracking really is? Look at your own data. Here are some suggestions. 

  • Google Location History (often the most revealing):
    Go to takeout.google.com, sign in, and select only “Location History.” Download the file. You may see years of detailed GPS pings showing exactly where you’ve been and when. Because doing this requires being signed in to Google, we got the heebie jeebie
    s and declined to do so ourselves. Perhaps you know another way.
  • Major data brokers:
    Large companies like Acxiom say they let you request what they know about you. Use their official U.S. Privacy Rights Portal: Acxiom Consumer Portal. Similar options appear to exist with Experian and others.
  • Paid services that do the work for you: We’ve seen services including by Norton that say they will help you request your information be removed from data brokers. But at least in our personal experience, we got the feeling that maybe the process worked, or maybe it didn’t. Complicated hurdles still existed even with the paid Norton service, and it seems like the data brokers don’t have to necessarily do what you want. Further research is warranted in this area.  

Why This Matters

Even without a single powerful identifier like Windows’ GDID, companies can still build surprisingly detailed profiles by combining signals — especially location data. The same layered approach that helped investigators in the high-profile Windows case (device ID + account logs + timestamps) can also happen in the commercial world through data brokers and app tracking. Apple has reportedly made pure device fingerprinting much harder than it used to be, which is a real privacy win. But location data and within-company tracking (via IDFV) remain active and widespread. Bottom line: Your phone may be harder to track on Apple devices than on many others, but it is not invisible — especially when it comes to where you go.
Apple has made broad device fingerprinting harder than on other platforms, but location data remains one of the most pervasive forms of tracking available to companies and data brokers.

Why This Matters in Copyright and BitTorrent Cases

At Antonelli Law, we defend clients in copyright infringement lawsuits, particularly those involving BitTorrent and torrent downloads (lately, often by “Strike 3 Holdings LLC” or other movie company copyright infringement cases filed in federal court, like the one involving the movie Boy Kills World filed by Boy Kills World Rights, LLC; or th one involving the movie “Rust” starring Alec Baldwin filed by Corporate Capital Holdings, LLC. Corporate Capital Holdings, LLC  alleging BitTorrent users violated its copyright protection rights.

Plaintiffs in these cases traditionally rely heavily on IP address evidence obtained by monitoring public BitTorrent swarms. However, the Peter Stokes case highlights a broader reality: sophisticated parties can — and sometimes do — use multiple layers of data to strengthen their evidence.

 

While we have not seen any evidence that any copyright plaintiff or their investigators have direct access to Microsoft GDID data, the case demonstrates how:

  • Persistent device identifiers can survive VPN use
  • Account login data from multiple providers may be correlated
  • Location and device signals can be combined to build stronger timelines

This is why simply saying “I used a VPN” is rarely a complete defense on its own. Understanding how these different tracking methods work helps us better evaluate the strength (or weakness) of the evidence against our clients and develop stronger defense strategies.

Key Takeaways from the Peter Stokes Case

  1. VPNs are not magic — They hide your public IP address, but they do not hide persistent device-level identifiers used by operating systems.
  2. Multiple data sources create stronger correlations — Investigators (and potentially plaintiffs) can combine device IDs, account logs, and timestamps.
  3. Transparency around device tracking is limited — Most people have no idea that identifiers like Microsoft’s GDID even exist.
  4. Location data remains extremely powerful — Whether collected through apps or data brokers, movement patterns are one of the hardest signals to fully obscure.

Bottom Line

The Peter Stokes case is a stark reminder that true online anonymity is much harder to achieve than many people realize — even when using privacy tools like VPNs.
For individuals facing copyright infringement claims, understanding these tracking realities is critical. At Antonelli Law | Torrent Defenders®, we stay on top of the latest developments in digital tracking and evidence gathering so we can provide our clients with the strongest possible defense.
If you or someone you know has received a copyright infringement notice or lawsuit related to torrent activity, contact us for a free, confidential consultation. We have extensive experience defending these cases and understand the technical issues that matter most.
Jeffrey Antonelli, Attorney and President of Antonelli Law
Share

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Apps