How Scattered Spider Gets Caught: ngrok, Fingerprints, and the Peter Stokes Affidavit

By Otto Vernal

Category: Security

Last updated: July 3, 2026

Views: 18

BLUF: A 19-year-old alleged member of the ransomware gang Scattered Spider was identified not because he forgot one password, but because investigators stitched together a dozen independent trails — hotel selfies, a homework photo, Microsoft’s records of his laptop, and a developer tool called ngrok he used to break into a luxury retailer’s network. If you want the primary source before the technical tour, start with the government’s own filing: U.S. v. Peter Stokes — superseding criminal complaint & FBI affidavit (N.D. Ill. 25 CR 812, April 2026).

You don’t need to be a security engineer to follow this. The plain version: a teenager accused of running with one of the most disruptive hacking crews alive made the same mistake twice — he reused the same digital identity for crime and for everyday life, then posted evidence of both on social media. What follows is how the FBI says the dots connected, with the nerdy parts spelled out for people who defend networks for a living.


The headline in human terms

Peter Stokes — also known online as Bouquet, Jordan, and (in Microsoft’s internal tracking) Spencer — is accused of belonging to Scattered Spider, a crew the affidavit also calls Octo Tempest, UNC3944, and 0ktapus. The group’s playbook is familiar from headlines: call a company helpdesk pretending to be an employee, reset multi-factor authentication, steal data, demand cryptocurrency, and vanish behind VPNs.

According to the affidavit, Scattered Spider has hit more than 100 companies, collected roughly $100 million in ransoms, and caused millions more in cleanup costs. Stokes was arrested in Finland on April 10, 2026 while trying to board a flight to Japan, on an Interpol notice tied to a U.S. warrant from December 2025. He was carrying two two-terabyte hard drives.

The superseding complaint (filed April 16, 2026) charges conspiracy, computer intrusion, extortion, and wire fraud — including a May 2025 breach of a multibillion-dollar luxury retailer (“Company F”) where attackers demanded $8 million and exfiltrated at least 77 gigabytes of data.


Why this case is a teaching moment

Most people imagine hackers getting caught because someone “traced the VPN.” That almost never happens the way movies portray it. VPN traffic is encrypted; the affidavit says so explicitly. What does happen — and what this case documents in unusual detail — is parallel reconstruction: many independent investigations that eventually merge on the same person.

Think of it like a jigsaw puzzle assembled by different teams:

  • Microsoft’s threat researchers watching a hacking cluster
  • A victim company handing chat logs to the FBI
  • Another victim’s IT team preserving server logs
  • Google, ngrok, and Teleport keeping account records
  • Snapchat and Apple answering search warrants
  • State Department travel records confirming where someone actually was

Stokes didn’t lose to one trap. He lost because the same email address, the same laptop fingerprint, and the same IP addresses kept showing up across threads that were never supposed to touch.


Thread 1 — Microsoft saw the cluster before the FBI had a name

Microsoft’s security researchers track advanced hacking groups by watching malware, victim attacks, and — critically — which computers share the same internet addresses over time. In an October 2024 referral cited in the affidavit, Microsoft identified an operator persona called “spencer” as likely Peter Stokes in Tallinn, Estonia, handling Octo Tempest malware and files linked to a U.S.-based co-conspirator.

Microsoft assessed that “spencer” had likely been involved in dozens of intrusions since 2022, including U.S. and U.K. critical infrastructure targets. Microsoft also flagged a cloud server (IP ending in .191) used for criminal infrastructure — which later became Subject Server 1 when the FBI got a search warrant on December 22, 2025.

The affiant notes that Microsoft referrals in related cases have repeatedly been corroborated by subpoenas — they are treated as reliable starting points, not gossip.


Thread 2 — He plotted a hack on the victim’s own chat platform

In March 2023, an online-communication company (“Company H”) referred an intrusion to the FBI. The attackers had social-engineered a two-factor reset, accessed internal support systems, and — in a move that would make any investigator giddy — discussed the live breach on Company H’s own product.

Chat logs show user Bouquet (Stokes) coordinating with a co-conspirator called Auth between roughly 00:23 and 03:48 UTC on March 30, 2023. They talked about accepting a virtual-machine request, using AnyDesk remote desktop, searching support tickets (including by credit card number), disabling user accounts, and eventually realizing they should stop talking on Company H and move to Telegram.

Attribution anchors from this thread:

  • A homework photo on the Bouquet account with “Peter William Stokes” written on it (January 2023)
  • Microsoft’s assessment that jordanspencer@riseup.net belonged to Stokes
  • The co-conspirator telling the FBI that Stokes used the moniker Bouquet

Profile photos on Bouquet didn’t match Stokes’s passport — the affidavit is honest about that. The case didn’t hinge on one picture; it hinged on chat content + real name on homework + later technical merges.


Thread 3 — Company F: helpdesk fraud, ngrok, and the $8M shakedown

The attack, step by step

Between May 12 and May 15, 2025, attackers hit a luxury retailer with a classic Scattered Spider opening:

  1. Voice phishing — Calls to the IT helpdesk from two Google Voice numbers (ending in 8777 and 2742), pretending to be employees who needed password and MFA device resets.
  2. Three accounts compromised in ~2–3 hours — including two IT administrators with separate high-privilege accounts unlocked via their already-compromised standard accounts.
  3. Datacenter control — Access to virtual servers in a New Jersey facility, including a server whose name ended in VB0.
  4. Persistence with ngrok — Installation of an ngrok agent on the victim server with a unique authentication token (more below).
  5. Bulk exfiltrationTeleport.sh tunnels plus Amazon S3 buckets; at least 77 GB including OneDrive files, Active Directory data, and operations-management data.
  6. Failed ransomware — Security staff blocked deployment; attackers pivoted to extortion email from a compromised company mailbox on May 15.
  7. Negotiation — Third-party negotiators spoke with attackers through June 2; final ask: $8 million. Company F did not pay; losses from disruption and response were already about $2 million.

What ngrok is — and why it mattered forensically

ngrok is a legitimate developer tool. It creates a secure tunnel from the public internet (e.g. https://abc123.ngrok.io) to a service running inside a private network (e.g. localhost:3000). Developers use it to test web apps locally. Attackers use it to punch outbound-only holes through a victim firewall and maintain access even as defenders try to evict them.

Every ngrok account has a unique authentication token. When the agent runs on a server, it presents that token to ngrok’s cloud. Company F’s logs preserved the token found on the compromised server:

2x0b1363KPV35LCUuZCkJag0G84_2btDjSM5oY82TQuiLZvaz

That token resolves to exactly one ngrok account: ac_2x0b16MSTJk4PvjLZMoqt4vOvZM, created May 12, 2025 at 19:21 UTC from IP 68.235.46.168 — a VPN exit hosted by Tzulo in Mount Prospect, Illinois. (That Illinois location is why several counts name Mount Prospect as venue — not because Stokes was physically there.)

ngrok’s logs during the intrusion showed 5 connection events and 12 tunnel events, with early movement of about 99.5 MB inbound and 1.27 GB outbound through the tunnel — consistent with uploading tools and pulling reconnaissance data before the larger Teleport/S3 exfiltration.

The account graph — stronger than any VPN

Investigators didn’t need to crack the VPN. They followed account subscriptions:

  • The ngrok account registered to mykccncn109@gmail.com
  • Google Voice number 2742 tied to the same Gmail
  • Google Voice number 8777 logged in from the same .168 IP on the same day as ngrok signup
  • Teleport.sh accounts used for exfiltration also subscribed with that Gmail

One email address bridged voice phishing, tunneling, and data theft. That’s an identity graph problem, not a wiretap problem.


Thread 4 — Device fingerprinting (GDID): the laptop that wouldn’t stay anonymous

Microsoft assigns Windows installations a Global Device ID (GDID) — a persistent identifier tied to a specific OS install on a physical machine or virtual machine. It survives Windows updates; it changes only on reinstall.

The ngrok account was created from a browser session associated with GDID g:6755467234350028. Microsoft telemetry shows that same device:

  • Visited dashboard.ngrok.com/signup at account creation
  • Visited the luxury retailer’s public website from the same VPN IP ~3 hours later
  • Shared IP addresses with Stokes’s Snapchat, Apple, and Facebook accounts on multiple dates

IP overlap examples (same device or same operator — affidavit’s conclusion)

When (UTC)GDID IP / actionSame IP on Stokes accounts
Jun 4, 202491.129.97.29 — TallinnFacebook, Snapchat
Nov 17–18, 2024207.237.190.238 — New YorkApple, Snapchat; matches travel records & hotel/UFC photos
Nov 26, 2024Visited empirehotelnyc.comSnapchat photo matching Empire Hotel suite decor
Jan 31 – Feb 2, 2025110.170.208.226 — ThailandApple accounts, Snapchat; Waldorf Astoria Bangkok posts
Jan 8, 2025213.35.168.50 — Tallinn (Telia Eesti ISP)Growtopia/Ubisoft login; Apple Account 2 two minutes earlier
May 12, 202568.235.46.168 — Tzulo VPNngrok creation; Google Voice 8777 login

This is behavioral fingerprinting: your hacking laptop and your vacation Instagram don’t get to share an ISP address timeline if you want to stay a mystery.


Thread 5 — Subject Server 1: the cloud closet full of stolen files

When the FBI searched the Microsoft-flagged VPS (.191), they found what the affidavit describes as an operations hub:

  • Exfiltrated data from Company F and many other victims (Companies I through U), spread across drives C, E, F, G, and T
  • 250,000+ files from a U.S. insurance company (Company Q; ~$15–20M estimated losses)
  • 260,000+ files from Company S
  • A Telegram search bot to query stolen data
  • Virtual Android devices running Okta and Azure Authenticator — tools to abuse MFA codes obtained via social engineering
  • DragonForce ransomware-as-a-service chat logs
  • A birthday message on December 2–3, 2025 (Stokes’s DOB is December 3, 2006) boasting about stolen databases with wire-transfer data to cryptocurrency exchanges

RDP logs on the server showed remote-desktop connections from IP addresses that, within 24 hours, also accessed Stokes’s Apple and Snapchat accounts — repeatedly from August 2025 through May 2025.

At least 45 exfiltrated Company F files were on this server among hundreds of thousands of others.


Thread 6 — Social media: wealth, memes, and consciousness of guilt

December 2025 search warrants hit Snapchat (be547f61-dabe-4b6c-867e-e06d07eee7af), two Apple accounts, and Facebook. Returns confirmed Stokes through content, communications, and IP addresses.

Highlights investigators cared about:

  • Luxury travel across Europe, the U.S., Thailand, and Dubai (corroborated by State Department records) while he was 17–18
  • Cash, watches, and diamond chains reading “HACK THE PLANET” (a line from the 1995 film Hackers)
  • A Sopranos-themed moniker chart naming Peter and co-conspirator auth
  • January 2025 posts of an Estonian police station with a Blacklist joke about turning yourself in, followed by “Feds dont know what they just fumbled…”
  • Videos from associate domr212 depicting FBI chasing “Auth” and joking “he’s veracrypted gg” (VeraCrypt encryption)
  • The mugshot of sentenced Scattered Spider member Noah Urban (“Sosa”) shared in January 2024

None of this alone proves hacking. Combined with threads 3–5, it paints a lifestyle inconsistent with legitimate income and shows awareness of law-enforcement pressure on the group.


Thread 7 — Reverse subpoenas and the cooperator

On June 23, 2025, Chief Judge Virginia M. Kendall signed a reverse 18 U.S.C. § 2703(d) order (case 25 M 60220) for two Tallinn residential IPs from Microsoft records. Instead of asking “who used this crime IP,” investigators asked Microsoft: “every account that touched these home IPs — and every VPN/proxy IP those accounts used downstream.” That expands the graph outward from a suspect’s apartment connection.

Separately, the U.S.-based juvenile co-conspirator (“Auth”) — charged after an FBI Chicago investigation — confirmed to agents that Stokes used Bouquet.


How he could have avoided detection — a defensive reading

This section is for defenders and researchers studying failure modes in public court records — not a how-to for crime. Assume parallel reconstruction still happens: Microsoft and victim referrals are the norm in major cases.

The question is what would have broken the merges between independent threads:

  1. Never reuse one Google account for helpdesk VoIP, ngrok, and Teleport — the Gmail was the single strongest merge key.
  2. Isolate the hacking OS — a dedicated VM with no Microsoft consumer login, no Apple/iCloud, no Snapchat, no Facebook on the same Windows install that touches ngrok (GDID would not then bridge to personal life).
  3. Never coordinate on victim-owned platforms — Company H handed the FBI chat logs on a silver platter.
  4. Don’t centralize victim data on a long-lived VPS already flagged by Microsoft threat intel.
  5. Don’t post geo-tagged luxury travel from the same IP timeline as operational browsing — hotel URL visits matched suite photos forensically.
  6. Assume ngrok tokens on victim servers will be harvested — design so the account behind the token cannot resolve to a passport name.
  7. Separate RDP egress from personal cloud IPs — the 24-hour RDP ↔ Snapchat/Apple overlap on Subject Server 1 was damning.

Even perfect compartmentalization might not erase Microsoft’s cluster-level tracking of “spencer” in Tallinn — but Stokes’s alleged mistake was making person-level attribution trivial: same day, same IP, same email, same laptop fingerprint, same real name on homework.


What network defenders should take away

  • Helpdesk MFA resets from VoIP numbers (especially Google Voice) during admin-targeted campaigns deserve immediate escalation — callback to known corporate numbers, not caller ID trust.
  • ngrok agents on servers are high-confidence IOCs in enterprise environments — alert, block, and preserve auth tokens for legal process.
  • Correlate IdP admin events with tunnel SaaS (ngrok, Teleport) and cloud storage egress (S3 PutObject spikes) in the same incident window.
  • Feed vendor APT referrals (Microsoft-style cluster reports) into IR on day zero — parallel reconstruction starts before your internal logs alone would close the case.
  • Preserve device-level identifiers from EDR/CASB where available — they outlast VPN exit rotation.

Closing note on sources and limits

Everything above derives from a probable-cause affidavit, not a trial verdict. The affiant explicitly omitted additional facts known to the investigation. Some attributions (Bouquet profile photos) did not match Stokes’s passport — the government’s theory relies on many independent links converging, which is exactly what makes modern cyber cases so hard to beat in court and so instructive for defense.

Primary document: DOJ superseding complaint & FBI affidavit (25 CR 812).