750M Fake Accounts, $M in Scam: Microsoft Dismantles Fraud Storm-1152 Group

Storm-1152 group
Images of Storm-1152’s illicit websites

Microsoft has announced a comprehensive operation against a cybercriminal syndicate known as Storm-1152, culpable for the creation of approximately 750 million counterfeit Microsoft accounts. These accounts, along with associated websites, were employed in various cybercrimes. This information was disclosed on the company’s official website.

The declaration of the syndicate’s dismantlement followed shortly after Microsoft obtained a court order from New York, authorizing the seizure of infrastructure and websites utilized by Storm-1152 within the United States. Microsoft stated that Storm-1152’s actions significantly facilitated malevolent activities for numerous cyber criminals.

Images of Storm-1152’s illicit websites

Storm-1152 was distinguished from its counterparts due to its specialization in cybercrime as a service, offering bogus Microsoft accounts and CAPTCHA circumvention services. According to Microsoft, Storm-1152’s operations yielded “millions of dollars in illicit revenue,” costing the company and other victims even more to combat their crimes.

The investigation also uncovered many individuals from Vietnam playing a pivotal role in the development and maintenance of websites linked to Storm-1152’s activities. These individuals created instructional videos and offered chat support for their products while exploiting the fake Microsoft accounts.

Duong Dinh Tu’s YouTube channel with “how to videos” to bypass security measures

Microsoft researchers also discovered that several groups involved in extortion and data theft used Storm-1152 accounts. Notably, Scattered Spider (UNC3944), a group of youthful hackers known for infiltrating major companies like MGM Resorts and Caesars Entertainment, was mentioned.

Microsoft managed to seize hotmailbox[.]me, a website where Microsoft accounts from around the world were sold. A screenshot of the site reveals that the accounts were sold for fractions of a cent, each unique and sold only once.

Microsoft stated that the ability of companies to swiftly identify and shut down fraudulent accounts forces criminals to seek new methods to circumvent security systems. Purchasing accounts from groups like Storm-1152 allows them to focus on phishing, spam, extortion, and other forms of fraud.

The operation also disrupted the activities of several other services, including 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA. Microsoft collaborated with Arkose Labs to research and take action against the Storm-1152 group.