Disrupting the Gateway Services to Cybercrime

4 min Read
Arkose Labs Teams with Microsoft and Law Enforcement to Takedown First Cybercrime-as-a-Service Threat Actor Group

Microsoft, with threat intelligence insights from Arkose Labs, is disrupting a cybercriminal ring headquartered in Vietnam. This group built and sold tools to bypass enterprises’ security controls and created hundreds of millions of phony online accounts used to defraud consumers and enterprises

SAN MATEO, Calif. (December 13, 2023) – Arkose Labs, the global leader in bot management and online account security, today announced that threat intelligence from the company was provided to support Microsoft in the disruption of an alleged threat actor group that built viable cybercrime-as-a-service (CaaS) businesses. Dubbed Storm-1152 by Microsoft, the group bilked enterprises and consumers globally out of millions of dollars. 

Cybercrime-as-a-service is a model where adversaries with superior technical, developer skills build attack tools, like automated bots, to sell to other fraudsters who may not be as technically adept, increasing the opportunity and reach for cybercrime and fraud. CaaS businesses encourage and enable more people to commit fraud at a volume and velocity that can overwhelm even experienced internal security operation center (SOC) teams. CaaS is in part responsible for the 167 percent increase in bot attacks this year, according to Arkose Labs’ latest threat landscape analysis

“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” said Kevin Gosschalk, founder and CEO, Arkose Labs. “The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet going-concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”

The group’s CaaS business initially sold fraudsters ready-made, rote solver services for CAPTCHAs, which are the most effective security technology solutions to distinguish malicious bot attacks from genuine human consumers’ activities. Storm-1152 promoted that its solvers could bypass any type of CAPTCHA, enabling fraudsters to abuse the online environments of Microsoft and enterprises in other industries. It later pivoted its business model, deploying bots to register phony Microsoft accounts using fictitious usernames and then selling the fake accounts in bulk to other fraudsters so that they could use the accounts for a wide variety of online attacks, like phishing, malware, romance scams, in-product abuse, etc. Storm-1152 earned millions of dollars through these illicit activities, which are predicate offenses to financial crimes like money laundering.  

The Arkose Cyber Threat Intelligence Research (ACTIR) unit first detected Storm-1152 in August 2021, pinpointing its whereabouts to Vietnam. “I’m incredibly proud of our threat intelligence team,” said Arkose Labs Chief Customer Officer Patrice Boffa. “ACTIR observed anomalies in Microsoft account-creation traffic, including the creation of accounts at a scale so large, fast, and efficient that it could have only been carried out through automated, machine-learning technology versus human actions. ACTIR then collaborated with our product team to enhance our solutions to run up Storm-1152’s attack effort, thus the cost.” 

“No disruption is a one and done,” said Amy Hogan-Burney, Associate General Counsel, Cybersecurity Policy & Protection. “While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.

Going after cybercrime therefore requires persistence, collaboration and ongoing vigilance to disrupt new malicious infrastructure.” 

Refer to Microsoft’s blog and Arkose Labs’ blog for detailed information about Storm-1152.

Microsoft and Arkose Labs have a long-standing relationship. Microsoft is an Arkose Labs customer, protecting its online platform with the Arkose Bot Manager defense service.


Arkose Cyber Threat Intelligence Research (ACTIR) is Arkose Labs’ dedicated counterintelligence unit. Its mandate is focused on threat hunting, risk intelligence, disarmament, and virtual enforcement. The unit is composed of seasoned threat researchers and data scientists, located around the world, enabling the team to take a “sun-never-sets” approach to threat detection and mitigation. ACTIR plays a pivotal role in keeping the biggest enterprises in the world safe from bot incursions, fraud farms, and hybrid automated attacks. 

About Arkose Labs

The mission of Arkose Labs is to create an online environment where all consumers are protected from spam and abuse. Recognized by G2 as the 2023 Leader in Bot Detection and Mitigation, with a high score in customer satisfaction and the largest market presence six quarters running, Arkose Labs offers the world’s first $1M warranties for credential stuffing, SMS toll fraud, and card testing. With 20% of our customers being Fortune 500 companies, our AI-powered platform combines powerful risk assessments with dynamic threat response to undermine the strategy of attack, all while improving good user throughput. Headquartered in San Mateo, CA, with offices in Argentina, Australia, Costa Rica, India, and the U.K., Arkose Labs protects enterprises from cybercrime and abuse. For daily insights pertinent to the shifting threat landscape, follow the company on LinkedIn.


Jean Creech Avent

Global Head of Brand and Communications

Arkose Labs

[email protected]

+1 843-986-8229

Share Now