Microsoft has expanded its legal action against a cybercrime group accused of developing tools that bypass security measures in generative AI (GenAI) services. In an updated complaint, the company has publicly named several individuals allegedly responsible for creating and distributing these tools, which facilitated unauthorised access to AI systems.
The lawsuit was initially filed in December 2024 in the Eastern District of Virginia against unnamed individuals accused of violating US law and Microsoft’s policies. The company alleges that the cybercrime network, known as Storm-2139, obtained exposed customer credentials from public sources and used them to gain unauthorised access to GenAI services, including Microsoft’s Azure OpenAI.
Once inside the systems, members of the group allegedly altered AI capabilities and resold access to other individuals. Microsoft claims these tools allowed users to generate illicit content, including non-consensual intimate images of celebrities and other sexually explicit material. The company has stated that these activities were in direct violation of its terms of use and required deliberate efforts to bypass security safeguards. To prevent further dissemination of harmful content, Microsoft has withheld the names of affected individuals and has not included synthetic imagery or prompts in its legal filings.
The updated complaint identifies four individuals alleged to be key figures in Storm-2139. Microsoft has named Arian Yadegarnia from Iran, known online as “Fiz,” Alan Krysiak from the United Kingdom, referred to as “Drago,” Ricky Yuen from Hong Kong, China, using the alias “cg-dot,” and Phát Phùng Tấn from Vietnam, known as “Asakuri.” The company claims these individuals played central roles in developing and distributing the tools that enabled AI abuse.
According to Microsoft’s investigation, the cybercrime network operates in a structured manner, with three main roles. “Creators” are responsible for developing the software that allows AI systems to be manipulated. “Providers” modify and distribute these tools, often offering different levels of access in exchange for payment. “Users” apply the tools to generate synthetic content that violates Microsoft’s policies, with a focus on sexual imagery and celebrity deepfakes.
In addition to the four named individuals, Microsoft has identified two actors based in the US. However, their identities remain undisclosed due to potential ongoing criminal investigations.
Website seizure and disruption of operations
As part of the legal action, the court granted Microsoft a temporary restraining order and preliminary injunction, allowing the company to seize a website allegedly central to Storm-2139’s operations. This site was reportedly used to facilitate unauthorised access to Microsoft’s AI services and distribute tools for circumventing security controls.
The website’s seizure caused significant disruption within the group. Microsoft observed internal disputes among members, with some speculating on the identities of those named in the lawsuit while others attempted to shift responsibility. Discussions in private communication channels indicated growing concern among the group’s members about the potential legal consequences of their activities.
Following the unsealing of the legal filings in January, members of Storm-2139 allegedly engaged in doxing against Microsoft’s legal representatives. Personal details, including names, addresses, and photographs of Microsoft’s counsel, were published in online forums. Doxing incidents have been linked to risks such as identity theft, harassment, and threats against individuals involved in legal proceedings.
In addition to the public exposure of personal information, Microsoft’s legal team received a series of emails, some of which were sent by individuals suspected of being part of Storm-2139. These messages reportedly contained attempts to shift blame onto other members of the cybercrime operation.
Microsoft has announced that it is preparing criminal referrals for both US and international law enforcement agencies. The legal action is based on multiple alleged violations, including the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), the Lanham Act, and the Racketeer Influenced and Corrupt Organizations Act (RICO). The company is also pursuing claims under Virginia state law for trespass to chattels and tortious interference.
Read more: Microsoft warns of Storm-2372’s device code phishing attacks and evolving tactics
