Microsoft has successfully dismantled the infrastructure of a cybercrime operation known as “Storm-1152”
In a significant move, Microsoft responsible for selling access to fraudulent Outlook accounts to various hacking groups, including the infamous Scattered Spider gang.
Characterized as a major player in the cybercrime-as-a-service (CaaS) ecosystem, Storm-1152 operated by providing hacking and cybercrime services to other individuals or groups. Under the guise of its “hotmailbox.me” service, the group created and sold approximately 750 million fraudulent Microsoft accounts, raking in millions in illicit revenue and causing substantial damage to Microsoft.
Microsoft detailed the operation as a sophisticated scheme utilizing internet bots to deceive Microsoft’s security systems. This involved hacking into and creating Outlook email accounts under fictitious user names, subsequently selling these fraudulent accounts to cybercriminals.
The group also offered rate solver services for CAPTCHAs, including “1stCAPTCHA,” “AnyCAPTCHA,” and “NoneCAPTCHA.” These services were promoted as tools to bypass any type of CAPTCHA, allowing fraudsters to exploit online environments, not only of Microsoft but also other enterprises.
Microsoft’s investigation uncovered that several ransomware and extortion groups, including the notorious Scattered Spider (Octo Tempest), had utilized Storm-1152’s services. Scattered Spider had previously been linked to attacks targeting Okta customers and claimed responsibility for the MGM Resorts attack, estimated to cost the company $100 million.
A court order obtained by Microsoft on December 7 revealed that Scattered Spider, in collaboration with Storm-1152, had executed massive ransomware attacks against flagship Microsoft customers, resulting in service disruptions and hundreds of millions of dollars in damages.
To counteract this threat, Microsoft announced the successful seizure of Storm-1152’s U.S.-based infrastructure and domains after obtaining a court order from the Southern District of New York. This included taking control of hotmailbox.me and disrupting services such as 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA. Social media accounts used by Storm-1152 for promoting these services were also targeted.
Microsoft has identified the individuals behind Storm-1152’s operations as Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, all based in Vietnam
April Hogan-Burney, General Manager of Microsoft’s Digital Crimes Unit, emphasized the goal of deterring criminal behavior. She stated, “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
Microsoft received assistance in this takedown from the San Francisco-based cybersecurity company, Arkose Labs, which had been tracking Storm-1152 since August 2021. Kevin Gosschalk, Founder and CEO of Arkose Labs, described Storm-1152 as a formidable foe operating in plain sight, offering training for its tools and even customer support while serving as an unlocked gateway to serious fraud.
