← Back to context

Comment by Terr_

1 day ago

> Exactly how does Microsoft's device identifier get associated with the ngrok session

The article has a link to "39-page criminal complaint" PDF, and I'd summarize the prosecution's claims (from sections 21.e, 22, 26) as:

1. The ngrok client was downloaded onto hardware owned by the victims and used by the attacker.

2. The client was later discovered along with an ngrok auth token. (2x0b1363KPV35LCUuZCkJag0G84_2btDjSM5oY82TQuiLZvaz)

3. The ngrok auth data was linked to an ngrok account. (ac_2x0b16MSTJk4PvjLZMoqt4vOvZM)

4. Although a VPN was used by whomever created the ngrok account, the creation-time of the account correlates to Microsoft's telemetry, which indicates that the accused's computer was visiting ngrok sign-up pages.