upvote
reply
My suspicion as well. I don't see any crystal clear evidence for it, but I'm sure looking for it.
reply
It was Microsoft Defender SmartScreen in Edge I believe. The visited domain is submitted to Microsoft to check it against known malware and phishing sites. And, as we're learning here, it is associated with the GDID (and Microsoft Account) which can be accessed via law enforcement requests.
reply
> (weird ID, by the way. 16-digits makes sense, but I would have expected it to be hexadecimal)

it's the decimal representation of a 64 bit integer

reply
> Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?

That URL shows 16 blocked requests, it tries to load (at the very least) datadog and googletagmanager, I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.

What surprises me the most is that the guy was using a Windows installation to do all of this. But then again, you only hear about the dumbest criminals who get caught, so I guess it does make sense after all.

reply
> I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.

But those companies would have no way of knowing the GDID. It's not sent in a header, I assume.

reply
A non-Edge browser would give the OS the domain name from the HTTPS connection and the page title because that's what it sets the window title to. I think that would be enough to identify the URL in a lot of cases (i.e. the sign-up URL sets the title to "ngrok Sign Up".
reply
Converting that ID to hex gives 18,000F,C8CB,93CC which rather looks like 32 bits of random data plus the prefix 0x18000f or possibly 40-48 bits of time in ms granularity from some epoch.
reply