Tracking Peter Stokes and The Com: Allison Nixon and Her Work Unmasking Cybercriminals

Tracking Peter Stokes and The Com: Allison Nixon and Her Work Unmasking Cybercriminals
Allison Nixon, chief research officer at Unit 221B. (Image: YLVA EREVALL)

Any time a member of The Com gets arrested, there’s a good chance Allison Nixon played a role in it. Nixon is chief research officer at the cyber investigations firm Unit221B, named after the apartment number of famed literary detective Sherlock Holmes. She has built her career tracking members of The Com, the loosely affiliated collection of hacking groups that have wreaked havoc on corporate America the last three years. 

Unmasking cybercriminals who think they’re anonymous has become Nixon’s stock in trade, as has her talent for identifying nascent cybercrime trends before they become major problems and for zeroing in on budding cybercriminals in the early days of their careers before they get on the radar of law enforcement. Her work tracking them is often what puts them on that radar.

In April, authorities arrested Peter Stokes in Finland, a 19-year-old member of The Com-affiliated group Scattered Spider, which is behind ransomware and data theft-extortion schemes against companies like MGM Resorts, Visa, Twilio, and the luxury fashion brands Dior, Louis Vuitton and Tiffany and Company, among others. Stokes, who has dual US-Estonian citizenship and used the alias “Bouquet” online was arrested at a Finnish airport before boarding a flight to Japan, and this month US authorities announced his successful extradition to the US.

The indictment against him mentions how Microsoft used GDID (Global Device Identifier) - a unique ID that Microsoft assigns to every device on which Windows is installed — to track his online activity in 2025, including log-ins to social media and messaging accounts like Snapchat and Facebook and access to victim networks. According to the evidence, Stokes was part of a May 2025 breach of a luxury jewelry brand — not identified by name in the indictment but believed to be Tiffany and Co — in which the cybercriminals demanded an $8 million ransom. He allegedly used a VPN proxy to obscure his IP address when he tunneled into the company’s servers, but due to the GDID associated with his computer, Microsoft was able to connect the activity to his machine.

There has been a lot of speculation that the GDID was the way Bouquet/Stokes was unmasked. But Nixon says investigators uncovered Bouquet’s real identity years earlier, after he posted a threat against her in a Telegraph channel in September 2022 when he was just 15 years old. “Shoutout to Allison Nixon, hope you get put in a spliff bitch,” Bouquet wrote at the time. She reported the post and Bouquet to her community of security researchers and law enforcement contacts, leading someone to uncover his real identity within months. The Microsoft GDID tracking was simply part of a years-long investigation in the aftermath of this threat to produce a trail of evidence connecting Stokes’ computer to various crimes over the last four years. Some of that evidence went into the indictment that was produced after he became an adult and could be charged with felonies.

Nixon says often the cybercriminals she tracks were never on her radar before they posted a death threat about her. They only became a target of her tracking after threatening her, eventually leading to their arrest.

In some respects, despite using VPNs and other cloaking measures, Stokes and his accomplices didn’t make it hard for investigators to identify them or tie them to their crimes. In March 2023, Stokes and an accomplice allegedly breached the backend infrastructure of an online communication platform — a platform on which they both already had user accounts. Stokes used his account under the moniker "Bouquet", according to the indictment. The indictment doesn't identify the platform, but it's possibly Snapchat, since the indictment references Stokes' use of a Snapchat account frequently. The two accomplices "discussed and plotted" their breach of the platform in messages exchanged between their user accounts on the platform, and because Stokes’ accomplice used the same IP address to breach the company that he used to log in to his user account on the company's platform, the company was able to tie that user account to their backend breach.

In addition to this, two months before the March breach, Stokes had published to his "Bouquet" user account on the breached platform a photo of what appeared to be his school homework. In the top righthand corner of the homework was the name “Peter William Stokes.”

Stokes was also fond of posting images of himself that seemed to reveal some of the illicit spoils from his crimes — for example, a 2024 image shows him flashing a fan of what appears to be $100 bills from a room at the 4-star Empire Hotel in New York (the Upper West Side hotel made famous in Gossip Girl when rich kid Chuck Bass purchases it and uses it as his home base for business dealings); another image shows him wearing what appears to be a diamond-encrusted necklace that reads “Hack the Planet” - the catchphrase of the lead character in the 1995 film “Hackers”.

I published a lengthy profile of Nixon and her work earlier this year, looking at how she became a cybercriminal hunter and how she tracks the people she targets. I'd recommend reading that piece for a lot of interesting details that aren't included here. I recently spoke with her again about how Stokes was identified, and why members of The Com so frequently boast about their escapades online, leaving a trail of evidence for investigators to collect. The interview has been edited for length and clarity.

Telegram channel for three Com subgroups - Scattered Spider, Lapsus$ and ShinyHunters - with a reference to Allison Nixon on the title page.

You’ve indicated that the act of threatening you is pretty much a death knell for members of The Com, because once they get on your radar by posting threats about you, you won't rest until they're identified and arrested. In a recent LinkedIn post, you mentioned that Peter Stokes, under the alias “Bouquet”, began posting threats about you online in 2022, four years before his arrest. What was the nature of the threats, and what did you do in response?

[In September 2022] this Telegram account named “Bouquet” says “shoutout to Allison Nixon, hope u get put in a spliff bitch,” and [that message got] spammed across all of these Telegram channels. In American slang, “spliff” has a certain meaning, and that doesn't make sense [in the context of what he wrote]. But in the UK, in their gang terminology, “spliff” means casket.

And then some other account says, “if ur reading this Allison Nixon kill yourself down syndrome ass bitch.”… And they were talking about bricking me. One of them said, “if only Patrick wasn't in jail.” That's a reference to Patrick McGovern-Allen, who…bricked people. [Editor’s note: Bricking refers to throwing a brick or Molotov cocktail through someone’s window; McGovern-Allen offered attacks like these under a violence-as-a service business and was arrested in August 2022, the month before the the user posted this message about Nixon.]

I notified everybody I talked to [in the research community and law enforcement]. Every single one of these threats and targeting of researchers in general, and targeting of FBI agents…I notify everybody I talked to. And the reason why is because this is such a high-fidelity indicator…of extremism. I say that not lightly at all. I mean this indicates the mental state of an actor who is going to become a problem [later], because they are so extremist that they see security people and investigators as the enemy — not just a technical adversary, but … “I hate you, I will kill you”. And so every single person that does that has always 100% of the time become a major, major problem down the line.

And I'll tell you,…choosing this red flag to run down…is why I have a career. Because when I first started my research career, I had realized this with threat actors that were threatening the journalist Brian Krebs and…certain FBI agents that I knew. I dug into them, and I'm like, wow, they're doing all these crazy, crazy fraud [crimes]…. They’re going to be like the next big problem. And every single one of them has [gone on to do] crimes that have resulted in major headlines, global disruptions.

And so this is why I've been able to position myself to have tons of background knowledge on [threat] actors, because the first thing I keyed in on was [the significance of] them making death threats against investigators [as an indication of future crimes]…. That has been my secret sauce for the entire career…. I’ve started telling people about this, I'm like hey, this is actually a flag that you should pay attention to [when it occurs], and people…take it very seriously. So anytime I see anybody threatening an investigator or an FBI agent or a journalist, I will share it as a threat indicator…for the purposes of letting people know, hey…this person is going to be your big problem in a few months to a year….

If you find this article valuable, you can leave a one-time tip to express appreciation to the author.

Is it a concern that now that you talk about how they get on your radar that they may lie low and stop threatening you in order to not draw attention? It might be harder to identify the problem makers early in the game then.

It’s true. But that said,…the people with that kind of extreme mindset, they do other things to get attention. And that's not the only red flag that I key in on.

After “Bouquet” and his associates began posting threats, and you notified everyone that you knew about this, how quickly was Stokes identified, and what mistakes did he make that got him identified as Bouquet?

Bouquet said “hope you get put in a spliff, bitch” on September 7th, 2022. And I [became] aware of it on September 14th, 2022. So I discovered it seven days after he threatened me. The earliest instance of [someone naming Bouquet] “Peter Stokes” was March 1st, 2023.

So he was identified within six months. Do you know what got him identified? People have been focusing on the Windows GDID as the thing that got him caught.

It’s hard to, like, attribute specific credit to specific things and also I wouldn't want the person [who identified him] to get death [threats]. So I'll just say I notified a bunch of people, and somebody had the answer. [Editor: See above for details from the indictment about an image that "Bouquet" posted to his messaging account in January 2023 showing what appeared to be his school homework with his name on it. It’s not clear if this is what got him identified, but the timeframe matches when Nixon says he was identified and when that same messaging service was investigating the breach of its backend infrastructure by Stokes and an accomplice.]

The actual work of doing attribution is kind of different from the public's conception of how attribution work gets done. When people are looking at the indictment and saying, oh, they found him because they traced an IP address to a physical address [so] that’s how he got found, it's like, no. When you're constructing a narrative for an indictment or a legal brief of any kind, you're providing the logical link so that a judge or a jury can understand that this item A is attached to person B. You're trying to convince a judge and a jury of this. So the argument put forth in the legal brief is completely different than the actual work process that led to the results.

The actual process of attribution is so non-linear, and the arguments in court [documents] are linear by necessity, because you've got to get a judge to understand [how you connected the person to the crimes]. If you were to actually [lay out] the entire work process of how stuff got figured out, there's going to be a whole lot of…”I was talking to a buddy of mine on Signal at 3 am that works at another company, and they shared this tip. And then this happened, and this happened…and I found this connection.” That's what the actual work process looks like.

Image included in the indictment that prosecutors say Peter Stokes posted to his Snapchat account in November 2024 during a trip to New York. It shows him making a fan from what appear to be $100 bills.

The indictment suggests that Microsoft was watching him years prior to his arrest. In October 2024, for example, the company told the FBI it had been tracking his online activity and that he appeared to be living in Tallinn, Estonia.

If someone's abusing [a company’s terms of service] and being a security threat, a private sector [entity] is allowed to watch…and gather evidence. So evidence was being gathered because this cluster of people [including Stokes]…were all getting into SIM swaps super early in their lives.

I can tell you that of all of the people that I've talked to about all of these things, Peter Stokes and his group of people were continuously on the radar of people during this time period. There was active work going on for a multi-year period. I mean, he wasn't the only thing they were working on, but these people were continuously active on him. 

Was Microsoft doing real-time monitoring in 2024 when he was committing crimes? Or did they only do that work later, retroactively? I think you're suggesting that Microsoft, back in 2024, was already monitoring him.

Yes, there is no way this was the first time Microsoft had heard of Peter Stokes. I know that for sure. They were one of the recipients, and I can't speak for them for what they did after that, but I know they were recipients of that information [I gave them] long before 2024.

Images included in the indictment that prosecutors say Peter Stokes (aka Bouquet) posted to his Snapchat account in February 2025 (left), and in December 2024 (right), the month he turned 18. The "Hack the Planet" necklace is a reference to the 1995 movie "Hackers".

The indictment talks about Stokes showing signs in 2024 and 2025 of having a “substantial amount of wealth for a person his age.” Although it says his father is a former executive in two major European businesses, and therefore Stokes’ family “appears to be well off,” it also indicates he was already committing crimes at age 16. So why wasn't he arrested earlier if he was already identified in March 2023 and had been traced to crimes? I know he was underage, but juveniles in the US who commit cyber crimes have been arrested in the past. And he visited New York in November 2024 [eight days shy of his 18th birthday] and posted photos from his hotel room. Why wasn't he apprehended before he could commit more crimes?

I’m not sure if no one ever visited him. I know there's other people in his group — his little cluster that were active at that time and were also threatening me — that got visited by the police…. FBI will not arrest juveniles, because there is no federal juvenile system. But FBI have, I believe, searched houses and also visited [juveniles] and said, like, hey, please stop doing crime….

In the United States federal system, if you're a minor and you do a bunch of crimes, FBI won't get you. But you turn 18, and you do one crime along the same series, then FBI can charge you for the previous [offenses]. Sometimes FBI will work with state and local police and hand off the case [to them], and then state and local [authorities] can arrest them and possibly charge them…because the juvenile system exists at that level.

[But] I want to add more questions [to the one you’re asking]. So when juveniles are visited by the police…or maybe their devices are searched, or there's some kind of government intervention…why is that government intervention so ineffective at making them stop [their criminal behavior]? There are actors that [even] get arrested and they…get out on bail, and then they immediately re-offend. So why does arresting not stop these people? Why does getting all your devices seized and searched not stop these people? These are super important questions.

The indictment includes a number of social media photos and chat logs in which Stokes appears to be bragging about his crimes and posting images of money, jewelry, and high-end hotel rooms. Why do you think young perpetrators are so reckless about drawing attention to themselves and leaving a trail of evidence? It can't be that they don't realize the risks of arrest, because they talk online about other Com members getting arrested, and they joke about the FBI tracking them personally.

There's a couple answers to that. First of all, … the way the justice system works trains these kids to not take the police seriously. Even though they…see people that they know being arrested,…getting arrested is not the end of the world [for them]…. They don't get long sentences. They get zero months in jail and some probation. That's the commonly understood outcome. Most of the cases turn out that way…. And within The Com, their consensus is that you're not going to get a long sentence if you're young and a hacker. They do understand that getting arrested multiple times will get a longer penalty [but] the mental illness and the drug abuse that these people engage in or suffer from, all of those things impact the human brain's ability to organize for the future. And that also includes truly comprehending penalties that will only happen in the future. If you don't give them penalties immediately that…are painful for them, then they're going to keep doing the thing. Because a potentially bad thing two years from now means literally nothing to them.

When the government just lets these people out [on bail or gives them probation], that’s incredibly dangerous for society. Because after they've had their first brush with the legal system, they understand how stuff works. As a defendant, they are given evidence about how they got caught…. They learn from that. They get better. The lessons they take away from it are, here's how you got caught, and don't get caught again, you know? So every interaction they have with the justice system, they get a little bit better as threat actors. And they have no interest in not doing crime. They know that they have no life outside of doing crime. They have no friends outside of doing crime…. We can't say like every single person is going to re-offend because that's not true. However, we can say that most people with certain risk factors are highly likely to re-offend. That is supported by evidence.

If you have tips or story ideas you can contact me securely via the following:

Signal - KimZ.42

Keybase - kimzet

kzetter@protonmail.com

If you'd like to advertise on Zero Day, you can reach me at countdowntozeroday@gmail.com

Please do not use any of these methods to contact me if you're a marketer

What are the risk factors?

This is something that I think really needs a lot more academic study. But from my professional experience, I argue that the following are high risk factors. So first of all, lack of family support. These people join these gangs because they don't have a social and family life in their real life. And so they construct one online…. One thing we see with these kids that really go off the deep end is that they don’t have any real-life communities any more that they’re attached to…. Most kids have friends in real life, and people prefer real interactions compared to online interactions…

Another major risk factor is severe drug abuse. There are a lot of people in The Com that are…opiate addicts. And a disproportionate number of them overdose and die…. People that have these addictive tendencies and get…way too deep into drugs, for some reason, they can't really process things in the same way. And in order to actually rehabilitate from a life of crime, you have to do a lot of personal introspection and thinking about some really painful things. And if your habit is to kill the pain by taking drugs, you kind of interrupt that process.

Another major, major risk factor is severe mental illness and personality disorder…. You’ve got people with personality disorders [in The Com]. They talk about being diagnosed with antisocial personality disorder and borderline personality disorder…. And you get people let out of jail that have no professionals in their life taking care of that. 

So a lot of people that only have online friends are [in The Com] because they have other problems that are not addressed, and the social fabric has broken down to the point that they’re falling through the cracks, and the only remaining social resources for them are just online…. [They] correctly recognize that they don’t have a future job-wise or life-wise…. The only skills that they know are related to fraud.

See Also:

Hackers Made Death Threats Against This Researcher. Big Mistake.

Arrest of Iranian Hacker Spotlights Iran's Move into Economic Espionage and IP Theft

Booz Allen Tech Contractor Took IRS Job Specifically to Leak Trump's Tax Records

John Bolton Indictment Provides Interesting Details About Hack of His AOL Account and Extortion Attempt

Share this post: