Three Vietnamese accused by Microsoft of creating 750 million fraudulent accounts

In a statement on the company blog on December 13, Microsoft said it had filed a complaint with US law enforcement against three individuals, Duong Dinh Tu, Linh Van Nguyen and Tai Van Nguyen. These individuals were identified as living in Vietnam and behind an organization called Storm-1152.

The group specializes in providing resources for cyber fraud, including large numbers of online accounts from Microsoft's Hotmail and Outlook services. The group operates a website that sells accounts, several sites that sell tools to bypass Captcha codes, and several social media channels to advertise its services.

Online accounts are an important resource for cyberattacks, experts say. Their large numbers can help cybercriminals automate their attacks, while also making it difficult for platforms to detect and block bad accounts.

"To date, Storm-1152 has created and sold approximately 750 million fraudulent Microsoft accounts, generating millions of dollars in illicit revenue for the group," Microsoft said in a statement. The group's actions have also made it difficult and costly for the company and other companies to fight cybercrime.

Storm-1152's services allow hacker groups to quickly acquire thousands of accounts, rather than having to create them themselves. "This allows criminals to focus on their primary goals of phishing, spam, ransomware, and other forms of fraud and abuse. Organizations like Storm-1152 help cybercriminals carry out their malicious activities more efficiently and effectively," Microsoft wrote.

According to the investigation, the Storm-1152 accounts provided to hackers were discovered in many data theft and ransomware campaigns by groups such as Octo Tempest and several other campaigns since 2021.

After the discovery, Microsoft's cybersecurity experts and a third party, Arkose Labs, conducted analysis, purchased the service, and used special techniques to identify the group behind it and its infrastructure. In addition to the individuals named, the group's website domain has been seized by Microsoft, following a US court order. A YouTube channel dedicated to instructing how to use the service on YouTube has also been renamed.

Kevin Gosschalk, CEO of Arkose Labs, assessed the danger of Storm-1152 as the fact that they act like a regular Internet service provider and can be easily found both in the dark and light areas of the Internet. The group's service is a gateway to serious cyberattacks.

Additionally, this activity also violates Microsoft's terms of service by selling fraudulent accounts, "pretending" to be normal users to bypass security measures of online services.