Stokes allegedly hid his device behind a virtual private network (VPN) server which he then used to open an account on the ngrok secure tunnelling service.
But doing so did not mask the unique GDID of the Windows installation he used.
Microsoft identified that GDID for investigators after a court order, based on ngrok’s time-stamped access records.



What kind of eleet haxor dude uses Windows?
Back then, we used to call those “script kiddies”.
Most of them are still. I’ve read a analysis of the log of a purposedly exposed system a while ago. Don’t know the exact numbers anymore but : ca. 9 of 10 are bots placing a backdoor. Of the human visitors, most are just looking around, poking things, getting bored, bye. And 2 of all of them were (cybercriminal) professionals who knew what they’re doing.
https://arman-bd.hashnode.dev/i-left-port-22-open-on-the-internet-for-54-days-here-s-who-showed-up
Right, that one, thanks!