Microsoft has launched an aggressive crackdown on Storm-1152, a group offering “cybercrime-as-a-service,” taking significant legal actions to dismantle its network. This initiative includes seizing the group’s infrastructure in the US, shutting down critical websites, and conducting thorough investigations to identify those accountable for the group’s operations.
This move by Microsoft marks a significant milestone in the battle against cybercrime, aiming to disrupt the activities of Storm-1152, which provides cybercriminals with illicit services and tools.
According to Amy Hogan-Burney, General Manager and Associate General Counsel for Cybersecurity Policy and Protection at Microsoft, Storm-1152 operates illicit websites and social media platforms, selling fraudulent Microsoft accounts and identity verification bypass tools. These services streamline various criminal activities conducted by cybercriminals online.
Storm-1152 has distributed approximately 750 million fake Microsoft accounts for sale, making it a particularly serious threat. This group simplifies access to fake accounts for cybercriminals, allowing them to focus on activities like phishing, spamming, ransomware attacks, and other fraudulent practices.
Microsoft’s legal actions were authorized by a recent court order from the Southern District of New York, enabling the company to seize Storm-1152’s US-based infrastructure and websites. This included taking down platforms like Hotmailbox.me and disrupting services such as 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, along with targeting the social media channels used for promoting these illicit services.
The primary goal of Microsoft’s actions is to deter criminal behavior by slowing down the speed at which cybercriminals can launch attacks, thereby increasing their cost of operation. Additionally, Microsoft’s Threat Intelligence has observed various groups, including Octo Tempest, using Storm-1152’s fake accounts for ransomware and other cybercrimes.
Microsoft has identified the individuals behind Storm-1152’s operations as Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, all based in Vietnam. Microsoft provided evidence of their involvement, including screenshots of Duong’s YouTube channel featuring instructional videos on bypassing security measures.
Microsoft collaborated with Arkose Labs to investigate and take action against Storm-1152. Kevin Gosschalk, founder and CEO of Arkose Labs, emphasized the group’s unique approach of openly operating its “Cybercrime-as-a-Service” model rather than on the dark web, providing training and customer support for its illicit tools.
