Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators
Crew helped lowlifes generate X-rated celeb deepfakes using Redmond's OpenAI-powered cloud – claim
Microsoft has named four of the ten people it is suing for allegedly snatching Azure cloud credentials and developing tools to bypass safety guardrails in its generative AI services – ultimately to generate deepfake smut videos of celebrities and others.
Redmond filed a civil lawsuit in Virginia in December 2024 against the so-called "Azure Abuse Enterprise" crew. At the time, none of the accused were named.
It is alleged the gang used API keys accidentally leaked from "multiple" Microsoft customers to improperly access the IT giant's Azure OpenAI service. The crew then allegedly resold access to this cloud service to other miscreants, and offered detailed instructions and tools to help their clients use Redmond's generative AI to produce the aforementioned harmful and sexually explicit material.
We have identified two actors located in the United States…those identities remain undisclosed to avoid interfering with potential criminal investigations
Upon filing the US federal-level lawsuit, Microsoft also obtained a court order allowing it to seize web domains used by the operation. The software giant said the seizures would help it "gather crucial evidence about the individuals behind these operations, to decipher how these services are monetized, and to disrupt additional technical infrastructure we find."
That effort appears to have worked, as Microsoft on Thursday this week filed an amended legal complaint [PDF] that names four of the ten accused: Arian Yadegarnia aka "Fiz" of Iran; Alan Krysiak aka "Drago" of the United Kingdom; Ricky Yuen aka "cg-dot" of Hong Kong; and Phát Phùng Tấn aka "Asakuri" of Vietnam.
Yadegarnia's identity, according to court filings [PDF], was at least partially disclosed in a January 11 4chan post when an anonymous user discussed the real name of "Fiz."
While the Windows giant has only named four of the alleged crooks, it claims to have identified more of them, including two located in the United States.
“Those identities remain undisclosed to avoid interfering with potential criminal investigations," wrote Steven Masada, assistant general counsel for Microsoft's Digital Crimes Unit.
However, Microsoft’s court filings state a suspect who lives in Illinois goes by the moniker "Khanon" and created software for running a reverse proxy service used to operate the Azure Abuse Enterprise.
"Microsoft is preparing criminal referrals to United States and foreign law enforcement representatives," Masada added.
- Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks
- Microsoft seizes websites used to sell phony email accounts to Scattered Spider and other crims
- With millions upon millions of victims, scale of unstoppable info-stealer malware laid bare
The four named defendants are allegedly part of a gang that Microsoft otherwise tracks as Storm-2139.
The organization is made up of three types of individuals: Creators, who develop illicit AI generation tools; providers, who modify and supply the tools to end users; and then the end users, who use the software to generate content that violated Microsoft's policies, much of it centered around celebrities and sexual images.
The other yet-to-be-named criminals live in the US, UK, Austria, Turkey, and Russia.
The lawsuit also alleges additional end users reside in Argentina, Paraguay, and Denmark, and "appear to have used the Azure Abuse Enterprises' technology and services to generate content that is not specifically in violation of Microsoft's terms of use.” In other words: They knowingly gained unauthorized access to Microsoft's AI tools and used these services without paying for them, but didn't use them to create harmful content, it is claimed.
Overall, as Microsoft put it in a statement:
Members of Storm-2139 exploited exposed customer credentials scraped from public sources to unlawfully access accounts with certain generative AI services. They then altered the capabilities of these services and resold access to other malicious actors, providing detailed instructions on how to generate harmful and illicit content, including non-consensual intimate images of celebrities and other sexually explicit content.
While monitoring 4chan and other communications platforms used by Storm-2139 helped Microsoft finger some of the suspected crooks, it also saw members of the notorious site post personal information about some of Microsoft's attorneys, it is claimed.
That doxxing effort may have backfired, as Masada wrote that after Microsoft lawyers' details were published online, they “received a variety of emails, including several from suspected members of Storm-2139 attempting to cast blame on other members of the operation.”
The Windows giant is seeking court orders banning the misuse of its services, damages, and more. ®