Skip links

Microsoft seizes websites used to sell phony email accounts to Scattered Spider and other crims

Microsoft has taken down US-based infrastructure and websites used by a cybercrime group to sell fraudulent online accounts to other crooks including Scattered Spider, the infamous social-engineering and extortion crew that hacked two Las Vegas casinos over the summer.

The gang, Storm-1152, is the “number one seller and creator of fraudulent Microsoft accounts” and has listed for sale 750 million of these, according to  Amy Hogan-Burney, Microsoft’s associate general counsel for cybersecurity policy and protection.

This, in turn, has earned Storm-1152 “millions of dollars” in ill-gotten gains, while costing Microsoft customers even more money.

Microsoft obtained a court order on December 7 to seize US-based infrastructure and remove websites used by the gang after convincing a judge that these sites represented unauthorized use of Microsoft trademarks and pose ongoing harm to Redmond, its customers and the general public.

Specifically, the seized websites include:, which sold fraudulent Microsoft Outlook accounts; 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, which sold CAPTCHA-solving tokens for use across various platforms; and social media sites used to advertise these illegal services.

The three individuals named in court documents as the criminal gang’s leaders, Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, are all based in Vietnam. Redmond says the trio operated and wrote the code for the illicit websites, published videos on how to use their products, and provided online chat services to help their “customers” — aka other miscreants who used Storm-1152’s products for phishing expeditions and ransomware infections.

And they didn’t just victimize Microsoft, they also injured other tech companies including Google and X/Twitter by selling CAPTCHA-defeating bots, the court documents alleged.  

Scattered Spider (aka Octo Tempest) is one of Storm-1152’s clients that used these phony Microsoft Outlook email accounts in other types of cybercrime. 

“This evidence also shows that Octo Tempest recently committed massive ransomware attacks against flagship Microsoft customers that infected the computer systems of those customers with ransomware which disabled critical operational systems, resulting in service disruptions that inflicted hundreds of millions of dollars of damage,” the criminal complaint says.

While the court documents don’t name the customers, in early September this crime gang broke into the networks of Caesars Entertainment and MGM Resorts and demanded ransoms from both hotel and casino giants. Caesars reportedly paid $15 million. MGM did not pay a ransom but has said the nearly week-long system outages and disrupted operations resulting from the digital intrusion cost it about $100 million. ®