How a Windows Device Identifier Helped Investigators Track an Alleged Cybercriminal
A recently unsealed court filing has revealed how investigators were able to identify and track an alleged cybercriminal using information collected by a Windows device. The case highlights how digital evidence from computers, online accounts, and internet activity can help law enforcement investigate cybercrime, even when attackers try to hide their identity.
According to court documents, the investigation centered on a cyberattack against a luxury jewelry retailer that occurred in 2025. The attackers reportedly gained access to the company’s network by calling the IT help desk and pretending to be employees who had been locked out of their accounts. After convincing staff to reset account credentials, they were able to access internal systems, steal company data, and demand millions of dollars in ransom.
One of the key pieces of evidence was something known as the Global Device Identifier (GDID). The GDID is a persistent, unique identifier that Microsoft assigns to each installation of Windows. Unlike an IP address, which can change over time, the GDID remains associated with the same Windows installation unless the operating system is completely reinstalled. This gave investigators a reliable way to recognize the same device across different activities.
Although the attackers used tools designed to hide their location and identity, investigators were able to connect the activity to a Windows device using its GDID. By comparing this identifier with account activity, internet connections, and other digital records, investigators were able to link the device to an individual accused of taking part in the attack.
The investigation also relied on information from several online services and travel records, allowing authorities to build a timeline that matched the suspect’s locations with activity linked to the cyberattack. Together, these digital records helped investigators connect multiple pieces of evidence that may have otherwise appeared unrelated.
The case has also sparked discussion about the amount of information modern operating systems collect. While identifiers like the GDID can play an important role in criminal investigations, they also raise questions about privacy and how this information is stored, protected, and shared with law enforcement when legal requests are made.
The cyberattack itself did not rely on a software vulnerability but instead exploited human trust. By convincing help desk employees to reset account credentials, the attackers were able to bypass security measures and gain access to sensitive systems. This serves as a reminder that even organizations with strong technical defenses remain vulnerable if identity verification procedures are not followed carefully.
For businesses, the incident highlights the importance of verifying the identity of anyone requesting password resets or changes to multi-factor authentication settings. Strong authentication methods, employee security awareness training, and clear procedures for handling support requests can help reduce the risk of similar attacks.
As cybercriminals continue to use deception instead of technical exploits, investigators are increasingly relying on digital evidence left behind by devices, online accounts, and internet activity to identify those responsible. This case demonstrates that even when attackers attempt to cover their tracks, the technology they use can sometimes provide the evidence needed to trace their actions







