So the big story from April was the arrest of a 19-year-old Finnish guy, Peter Stokes, allegedly part of the Scattered Spider hacker crew. He got extradited to the US and is now looking at federal charges for crypto fraud and social engineering schemes.
What's actually interesting from a privacy standpoint is how they caught him. The dude was running a VPN AND an automatic IP rotation system that cycled through multiple addresses constantly. Like he really thought he had it locked down. But none of that saved him, and from what's come out since, Windows-level identifiers seem to have played a role in tying everything together. That's the part worth talking about here imo.
Windows GDID and privacy are we all being tracked without knowing it
8 replies 181 views
blockhub968Hero Member
Posts: 20 · Reputation: 317
#2Jul 12, 2026, 07:43 PM
Wait, what do you mean by "it's already happening"? Got a source for that or just vibes?
Also the Firefox thing isn't totally accurate afaik. Yeah it phones home with some telemetry by default but it's nowhere near the level Windows operates at, and you can actually turn it off without jumping through a hundred hoops. Not the same ballpark at all.
Honestly what gets me is how someone can go through all that effort to mask their IP and network traffic but completely ignore what the OS itself is broadcasting in the background. Like bro spent hours setting up rotating proxies but never once thought about system-level telemetry lol.
And look, I get it, I grew up on Windows too, still love it for gaming, nothing really compares for that. But once you actually start caring about your privacy you realize it's just not built for that. Switching to Linux is painful for like the first month or two and then you're fine. Worth it.
Also someone asked me privately: if I run a Bitcoin wallet on Windows and don't report taxes, can the IRS or SEC pull data through Windows telemetry? Honestly... I wouldn't bet against it.
Worth pointing out that this is one of the earlier publicly documented cases where GDID was explicitly named in the context of a cybercrime investigation. There are a bunch of other cases floating around on specialist forums and documented online where arrests happened and the warrants mention things like "traditional tracing techniques" or "hardware identifier correlation" without spelling it out, but the pattern is pretty obvious once you know what to look for. GDID has been around for like a decade now.
There are even documented cases of darknet operators running Windows machines, and both the FBI and Europol apparently referenced hardware-level tracking methods in the warrants. Microsoft has also directly stated in some cases that it provided hardware identifier data. So yeah, this isn't tinfoil hat stuff, there's a paper trail.
Yeah I broadly agree that OS telemetry is way underestimated. Everyone obsesses over VPNs and IP masking and forgets that the device itself, the browser, the linked accounts, the apps... all of that is still leaking data regardless of what your exit IP looks like.
That said I think we need to be careful not to blur the line between what's confirmed and what's being inferred. From what's actually in the complaint, the key detail is that Microsoft's records linked a Windows GDID to the creation and use of an ngrok account, and then that got correlated with IP logs, timestamps and other account activity. That alone is a serious privacy issue and doesn't need embellishment.
The bigger claims about exactly how deep this goes need harder evidence before we treat them as settled fact. Healthy skepticism matters here.
That's not quite how it works though and I think people need to understand this clearly.
In recent Windows versions the GDID doesn't just reset when you format. It persists through clean installs and if you reinstall the same OS version it gets linked back to the previous identifier. And if you think switching Windows versions will fool it, it doesn't, because it's reporting hardware-level data: motherboard UUID, CPU serial, TPM chip cryptographic keys, MAC address of the board. Two different GDIDs on the same physical machine get tied together server-side.
In my country there's actually a centralized system that cross-references this kind of data and the implications are pretty alarming once you think about it.
blockhub968Hero Member
Posts: 20 · Reputation: 317
#7Jul 12, 2026, 07:43 PM
Yeah that tracks. Can't say it's 100% proven but it's more than enough reason for me personally to stay off Windows for anything sensitive.
And I already knew Firefox wasn't the privacy miracle some people make it out to be, appreciate the reminder though. My point was never that open source automatically means no telemetry, that's a separate conversation.
Ngl I find most of this believable. I actually watched a video a while back about a guy who got caught purely because of his Windows GDID even though he was using a VPN and his IP was constantly changing. The GDID was apparently enough to tie everything together.
The one thing I couldn't wrap my head around: how did they even get the GDID in the first place? Is it being broadcast publicly every time you connect to something? Because if so... yeah Windows is straight up cooked for anyone who actually cares about staying anonymous.
Would've been nice if OP dropped a source or citation tbh. I came across a video about this recently but didn't go too deep on it since M$ tracking people isn't exactly shocking news at this point.
Anyway, genuine advice: if you're out here doing shady stuff, definitely stick to Windows and use as many Microsoft services as possible. For... reasons.
And if you happen to find traces of S, Ar, Ca and Sm somewhere, feel free to do a little word chemistry with that.
?Reply
Sign in to reply to this topic
Related topics
- Running every Bitcoin Core release ever made inside Docker, all the way back to 2009 19
- Could a Formal Bitcoin Spec Fix Consensus Issues? 2
- Ensuring Consensus: How Different Bitcoin Implementations Keep in Sync 4
- Have We Just Tackled UTXO Bloat and Quantum Risks with Demurrage? 0
- Are We Getting Quantum-Secure Addresses Soon? 18
- Can Splicing Really Obscure the BTC Transaction Trail? 2