{ "id": "371b3a6a-775c-4c07-8d58-032754d24808", "created_at": "2026-04-06T00:16:21.782678Z", "updated_at": "2026-04-10T13:12:56.239449Z", "deleted_at": null, "sha1_hash": "4a64d55177990bd43e8dbdf9d1a544a5bd1d9b62", "title": "Disrupting the gateway services to cybercrime - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 334633, "plain_text": "Disrupting the gateway services to cybercrime - Microsoft On the\r\nIssues\r\nBy Amy Hogan-Burney\r\nPublished: 2023-12-13 · Archived: 2026-04-02 10:49:02 UTC\r\nAt Microsoft, we continue to look for creative ways to protect people online and that includes having no tolerance\r\nfor those who create fraudulent copies of our products to harm others. Fraudulent online accounts act as the\r\ngateway to a host of cybercrime, including mass phishing, identity theft and fraud, and distributed denial of\r\nservice (DDoS) attacks. That is why today, we, with valuable threat intelligence insights from Arkose Labs, a\r\nleading cybersecurity defense and bot management vendor, are going after the number one seller and creator of\r\nfraudulent Microsoft accounts, a group we call Storm-1152. We are sending a strong message to those who seek to\r\ncreate, sell or distribute fraudulent Microsoft products for cybercrime: We are watching, taking notice and will act\r\nto protect our customers.\r\nStorm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass\r\nidentity verification software across well-known technology platforms. These services reduce the time and effort\r\nneeded for criminals to conduct a host of criminal and abusive behaviors online. To date, Storm-1152 created for\r\nsale approximately 750 million fraudulent Microsoft accounts, earning the group millions of dollars in illicit\r\nrevenue, and costing Microsoft and other companies even more to combat their criminal activity.\r\nWith today’s action, our goal is to deter criminal behavior. By seeking to slow the speed at which cybercriminals\r\nlaunch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting\r\nour customers and other online users.\r\nHow cybercriminals use Storm-1152’s services\r\nStorm-1152 plays a significant role in the highly specialized cybercrime-as-a-service ecosystem. Cybercriminals\r\nneed fraudulent accounts to support their largely automated criminal activities. With companies able to quickly\r\nidentify and shut down fraudulent accounts, criminals require a greater quantity of accounts to circumvent\r\nmitigation efforts. Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can\r\nsimply purchase them from Storm-1152 and other groups. This allows criminals to focus their efforts on their\r\nultimate goals of phishing, spamming, ransomware, and other types of fraud and abuse. Storm-1152 and groups\r\nlike them enable scores of cybercriminals to carry out their malicious activities more efficiently and effectively.\r\nMicrosoft Threat Intelligence has identified multiple groups engaged in ransomware, data theft and extortion that\r\nhave used Storm-1152 accounts. For example, Octo Tempest, also known as Scattered Spider, obtained fraudulent\r\nMicrosoft accounts from Storm-1152. Octo Tempest is a financially motivated cybercrime group that leverages\r\nbroad social engineering campaigns to compromise organizations across the globe with the goal of financial\r\nextortion. Microsoft continues to track multiple other ransomware or extortion threat actors that have purchased\r\nfraudulent accounts from Storm-1152 to enhance their attacks, including Storm-0252 and Storm-0455.\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/\r\nPage 1 of 5\n\nOur disruption strategy\r\nOn Thursday, December 7, Microsoft obtained a court order from the Southern District of New York to seize U.S.-\r\nbased infrastructure and take offline websites used by Storm-1152 to harm Microsoft customers. While our case\r\nfocuses on fraudulent Microsoft accounts, the websites impacted also sold services to bypass security measures on\r\nother well-known technology platforms. Today’s action therefore has a broader impact, benefiting users beyond\r\nMicrosoft. Specifically, Microsoft’s Digital Crimes Unit disrupted:\r\nHotmailbox.me, a website selling fraudulent Microsoft Outlook accounts\r\n1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, websites that facilitate the tooling, infrastructure,\r\nand selling of the CAPTCHA solve service to bypass the confirmation of use and account setup by a real\r\nperson. These sites sold identity verification bypass tools for other technology platforms\r\nThe social media sites actively used to market these services\r\nImages of Storm-1152’s illicit websites\r\nMicrosoft is committed to providing a safe digital experience for every person and organization on the planet. We\r\nwork closely with Arkose Labs to deploy a next-generation CAPTCHA defense solution. The solution requires\r\nevery would-be user who wishes to open a Microsoft account to represent that they are a human being (not a bot)\r\nand verify the accuracy of that representation by solving various types of challenges.\r\nAs founder and CEO of Arkose Labs, Kevin Gosschalk says: “Storm-1152 is a formidable foe established with the\r\nsole purpose of making money by empowering adversaries to commit complex attacks. The group is distinguished\r\nby the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a\r\ntypical internet going-concern, providing training for its tools and even offering full customer support. In reality,\r\nStorm-1152 was an unlocked gateway to serious fraud.”\r\nStorm-1152’s activity not only violates Microsoft’s terms of services by selling fraudulent accounts, but it also\r\npurposely seeks to harm customers of Arkose Labs and deceive victims pretending to be legitimate users in an\r\nattempt to bypass security measures.\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/\r\nPage 2 of 5\n\nWhat visitors to hotmailbox.com, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA will see if they try to access\r\nthe websites\r\nIdentifying the individuals and infrastructure behind Storm-1152\r\nOur analysis of Storm-1152’s activity included detection, analysis, telemetry, undercover test purchases, and\r\nreverse engineering to pinpoint the malicious infrastructure hosted in the United States. Microsoft Threat\r\nIntelligence and Arkose Cyber Threat Intelligence Research unit (ACTIR) provided additional data and insights to\r\nstrengthen our legal case.\r\nAs part of our investigation, we were able to confirm the identity of the actors leading Storm-1152’s operations –\r\nDuong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen – based in Vietnam.\r\nOur findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those\r\nusing their fraudulent services.\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/\r\nPage 3 of 5\n\nDuong Dinh Tu’s YouTube channel with “how to videos” to bypass security measures\r\nMicrosoft has since submitted a criminal referral to U.S. law enforcement. We are grateful for our partnership with\r\nlaw enforcement who can bring those looking to harm our customers to justice.\r\nOur ongoing commitment to fighting cybercrime\r\nToday’s action is a continuation of Microsoft’s strategy of taking aim at the broader cybercriminal ecosystem and\r\ntargeting the tools cybercriminals use to launch their attacks. It builds on our expansion of a legal method used\r\nsuccessfully to disrupt malware and nation-state operations. We have also partnered with other organizations\r\nacross the industry to increase intelligence sharing on fraud and further enhance our artificial intelligence and\r\nmachine learning algorithms that quickly detect and flag fraudulent accounts.\r\nAs we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and\r\nongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s\r\noperations, we expect other threat actors will adapt their techniques as a result. Continued public and private\r\nsector collaboration, like todays with Arkose Labs and U.S. law enforcement, remain essential if we want to\r\nmeaningfully dent the impact of cybercrime.\r\nTags: cyberattacks, cybercrime, cybersecurity, Microsoft Threat Analysis Center, MTAC, Storm-1152, The Digital\r\nCrimes Unit\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/\r\nPage 4 of 5\n\nSource: https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/" ], "report_names": [ "cybercrime-cybersecurity-storm-1152-fraudulent-accounts" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "ead52dab-d2cb-44f4-a67a-56ffbc347b7e", "created_at": "2024-02-02T02:00:04.084899Z", "updated_at": "2026-04-10T02:00:03.560106Z", "deleted_at": null, "main_name": "Storm-1152", "aliases": [], "source_name": "MISPGALAXY:Storm-1152", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434581, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a64d55177990bd43e8dbdf9d1a544a5bd1d9b62.pdf", "text": "https://archive.orkl.eu/4a64d55177990bd43e8dbdf9d1a544a5bd1d9b62.txt", "img": "https://archive.orkl.eu/4a64d55177990bd43e8dbdf9d1a544a5bd1d9b62.jpg" } }