Microsoft Disrupts Cybercrime Service

12328044672?profile=RESIZE_400xMicrosoft’s spokesman announced on 13 December 2023 the disruption of Storm-1152, a Cybercrime-as-a-Service (CaaS) ecosystem that created 750 million fraudulent Microsoft accounts supporting phishing, identity theft, and other schemes.  The CaaS is believed to have made millions of dollars in illicit revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, Distributed Denial-of-service (DDoS), and other types of attacks.


Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms.  These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.  One of Storm-1152’s customers has been Octo Tempest, also known as Scattered Spider, 0ktapus, and UNC3944, which has used fraudulent accounts in social engineering attacks aimed towards financial extortion.  Storm-0252, Storm-0455, and other ransomware or extortion groups also purchased accounts from the CaaS.


With help from bot management and account security firm Arkose Labs, which has been tracking Storm-1152 since August 2021, Microsoft gathered intelligence on the CaaS and its activities and infrastructure, which it then used to obtain a court order to seize the cybercrime ring’s US-based infrastructure.   Issued on 07 December 2023, the court order allowed Microsoft to take over domains such as Hotmailbox[.]me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as social media accounts that the CaaS has been using to promote the illicit services.

Microsoft has revealed the identity of three individuals believed to be operating Storm-1152, namely Duong Dinh Tu, Linh Van Nguyễn (aka Nguyễn Van Linh), and Tai Van Nguyen, all based in Vietnam.  “Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on using their products via video tutorials, and provided chat services to assist those using their fraudulent services,” ed.

Storm-1152’s activities were noticed by Arkose Labs, which started investigating the group and reported the findings to Microsoft.  The two companies started collecting tactics, techniques, and procedures (TTPs) associated with the threat actor to identify its infrastructure.  According to Arkose Labs, Storm-1152 has been observed pivoting its business model to circumvent protective measures deployed against it, including switching between CAPTCHA solver services.

Microsoft filed a lawsuit against the individuals on behalf of its millions of customers who may have been targeted and harmed by the attacks.  Arkose Labs is supporting Microsoft with its detailed evidence of the attacks.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or   

Weekly Cyber Intelligence Briefing




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!