The article has a link to "39-page criminal complaint" PDF, and I'd summarize the prosecution's claims (from sections 21.e, 22, 26) as:
1. The ngrok client was downloaded onto hardware owned by the victims and used by the attacker.
2. The client was later discovered along with an ngrok auth token. (2x0b1363KPV35LCUuZCkJag0G84_2btDjSM5oY82TQuiLZvaz)
3. The ngrok auth data was linked to an ngrok account. (ac_2x0b16MSTJk4PvjLZMoqt4vOvZM)
4. Although a VPN was used by whomever created the ngrok account, the creation-time of the account correlates to Microsoft's telemetry, which indicates that the accused's computer was visiting ngrok sign-up pages.
Thank you! This is not only good to know as an ngrok user myself, but it's also more informative than what's in the article.
Sounds like we can rule that out as the avenue of detection.
Asking for a friend.
Does the Microsoft store imprint an identifier into the network traffic of all the binaries downloaded from it?
And if so, how?
All of ngrok's traffic is TLS encrypted which means that only the client software and the server/peer should be able to decrypt or modify it.