Connect with us

Hi, what are you looking for?



Microsoft Disrupts Cybercrime Service That Created 750 Million Fraudulent Accounts

Microsoft disrupts Storm-1152, a cybercrime-as-a-service business facilitating phishing, identity theft, and DDoS attacks.

Microsoft on Wednesday announced the disruption of Storm-1152, a cybercrime-as-a-service (CaaS) ecosystem that created 750 million fraudulent Microsoft accounts in support of phishing, identity theft, and other schemes.

The CaaS is believed to have made millions of dollars in illicit revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, distributed denial-of-service (DDoS), and other types of attacks.

“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms. These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online,” Microsoft notes.

One of Storm-1152’s customers has been Octo Tempest, also known as Scattered Spider, 0ktapus, and UNC3944, which has used the fraudulent accounts in social engineering attacks aimed towards financial extortion. Storm-0252, Storm-0455, and other ransomware or extortion groups also purchased accounts from the CaaS.

With help from bot management and account security firm Arkose Labs, which has been tracking Storm-1152 since August 2021, Microsoft gathered intelligence on the CaaS and its activities and infrastructure, which it then used to obtain a court order to seize the cybercrime ring’s US-based infrastructure.

Issued on December 7, the court order allowed Microsoft to take over domains such as Hotmailbox[.]me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as social media accounts that the CaaS has been using to promote the illicit services.

Additionally, Microsoft has revealed the identity of three individuals believed to be operating Storm-1152, namely Duong Dinh Tu, Linh Van Nguyễn (aka Nguyễn Van Linh), and Tai Van Nguyen, all based in Vietnam.

“Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” Microsoft explains.

Advertisement. Scroll to continue reading.

Storm-1152’s activities first caught the eye of Arkose Labs, which started investigating the group and reported the findings to Microsoft. Together, the two companies started collecting tactics, techniques, and procedures (TTPs) associated with the threat actor, to identify its infrastructure.

According to Arkose Labs, Storm-1152 has been observed pivoting their business model to circumvent protective measures deployed against it, including switching between CAPTCHA solver services.

“Microsoft filed a lawsuit against the individuals on behalf of its millions of customers who may have been targeted and harmed by the attacks. Arkose Labs is supporting Microsoft with our detailed evidence of the attacks,” Arkose Labs notes.

The two companies also reported their findings to law enforcement.

Related: Law Enforcement Reportedly Behind Takedown of BlackCat/Alphv Ransomware Website

Related: US Announces Takedown of Card-Checking Service, Charges Against Russian Operator

Related: Takedown of GitHub Repositories Disrupts RedLine Malware Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.