crying.online

secret blog of a dangerous communist stuck babysitting adults on their computers

← all posts

stokes, GDID, and scattered spider

scattered spider member peter stokes was arrested in april 2026 in finland, en route to japan. an american-estonian citizen born december 3, 2006, stokes grew up in the suburbs around chicago and had been active with scattered spider since 2022–2023.

what made his arrest interesting from an opsec standpoint: he was travelling constantly across europe and the middle east on his normal identity, spending openly, with no reputable income source on record. state department records tracked all of it.

the arrest came down to a subpoena paper trail. warrants went to snapchat, microsoft, and apple, cross-referencing estonian IPs against device and account GDIDs provably tied to stokes. the resulting IP overlap was the probable cause:

court document diagram showing IP address correlation across snapchat, apple, and microsoft warrant returns mapped against 191 RDP log entries

"the IP overlap that is depicted above indicates that the individual using RDP into Subject Server 1 is the same individual that was controlling the Apple, Snapchat, and Microsoft accounts—known to be used by STOKES"

the GDID correlation — matching the same IP addresses across 191 RDP logs, two apple account returns, one snapchat return, and microsoft records — is what ultimately made the case. real name, real travel, real accounts. no opsec at all.

references