Arkose Labs provided intelligence insights to Microsoft to disrupt Storm-1152, allegedly one of the largest and most notorious cybercrime-as-a-service (CaaS) groups ever identified.
Cybercrime-as-a-Service (CaaS) organizations have fundamentally lowered the barriers to entry for attackers. These groups offer ready-made tools including bots, infrastructure, and services like CAPTCHA solver services for conducting mass-scale cyber attacks. Storm-1152 was one of the most prolific of these operations.
Arkose Labs' Cyber Threat Intelligence Research (ACTIR) unit first detected Storm-1152 in August 2021. The group was located in Vietnam and responsible for millions of attacks on Microsoft's platform. Over the following two years, ACTIR analysts tracked the group's infrastructure, methods, and evolution, ultimately providing the critical intelligence insights that enabled Microsoft's Digital Crimes Unit to take legal action.
ACTIR identified and helped mitigate millions of fraudulent account creation attempts targeting Microsoft's platform, attributed to Storm-1152 operatives.
Microsoft implemented Arkose Bot Manager to provide advanced risk profiling and targeted enforcement challenges against fraudulent account creation. The system deployed progressive friction to suspected bad actors while preserving the experience for legitimate users, making Storm-1152's operations increasingly expensive and inefficient to execute.
Armed with ACTIR's intelligence findings, Microsoft's Digital Crimes Unit secured court-authorized seizure of Storm-1152 affiliated websites and infrastructure. A criminal referral to law enforcement followed, resulting in one of the most significant disruptions of a CaaS operation on record. The takedown demonstrated how private sector threat intelligence can directly support legal action against cybercriminals.
Talk to an Arkose Labs expert about defending against organized cybercrime groups.
Schedule a Meeting
Stopping bots, AI agents, and fraud before they reach your users.
