Threat Research

Vietnam’s Massive CAPTCHA crackers vs. Microsoft DCU

Securonix

Microsoft’s DCU exposed a Vietnam-based group, Storm-1152, that used CAPTCHA-solving tools to automate massive creation of Microsoft email accounts (Hotmail/Outlook), potentially totaling hundreds of millions of accounts. The operation leverages multiple CAPTCHA services and GitHub-based code to bypass protections, with operators and infrastructure named in DCU’s briefing. #Storm-1152 #Microsoft #Outlook #Hotmailbox #1stCAPTCHA #AnyCAPTCHA #ArkoseLabs #AntiCaptchaOfficial #Vietnam

Keypoints

  • Storm-1152 is described as CAPTCHA-cracking capable and used to fuel mass creation of Microsoft email accounts (Hotmail/Outlook).
  • The group is based in Vietnam, with operators named as Duong Dinh Tu, Linh Van Nguyễn (Nguyễn Van Linh), and Tai Van Nguyen.
  • Associated web properties include Hotmailbox.me, 1stCAPTCHA.com, AnyCAPTCHA.com, and NoneCAPTCHA.com.
  • GitHub code and users (CuongPhan1408, HecTran12, Xtekky) illustrate how CAPTCHA solvers were used to automate Outlook/Discord signups and other accounts, leveraging HCaptchaTaskProxyless and FunCaptchaTaskProxyless.
  • FunCaptcha (Arkose Labs) is used by Microsoft to validate human signups, while AntiCaptchaOfficial positions as a major CAPTCHA-solver provider; Arkose Labs is noted as expensive to crack.
  • The activity highlights a shift toward scalable, bot-driven account creation and the leveraging of public tools and services to sustain illicit onboarding on major platforms.

MITRE Techniques

  • [T1136] Create Account – CAPTCHA-cracking capabilities to assist other criminals in the massive creation of Microsoft email accounts. Quote: “…CAPTCHA-cracking capabilities to assist other criminals in the massive creation of Microsoft email accounts…”
  • [T1583] Acquire Infrastructure – The group runs websites that function as part of their operation to create and manage accounts, e.g., Hotmailbox.me, 1stCAPTCHA.com, AnyCAPTCHA.com, NoneCAPTCHA.com. Quote: “the group is based in Vietnam and names three of their operators…”

Indicators of Compromise

  • [Domain] hotmailbox.me – example domain used for CAPTCHA-assisted account creation
  • [Domain] 1stCAPTCHA.com – example domain used for CAPTCHA solving services
  • [Domain] AnyCAPTCHA.com – example domain used for CAPTCHA solving services
  • [Domain] NoneCAPTCHA.com – example domain used for CAPTCHA solving services

Read more: https://garwarner.blogspot.com/2023/12/vietnams-massive-captcha-crackers-vs.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint