Microsoft has announced the results of an investigation showing that an international group of cyber criminals have developed and used malicious tools to create celebrity deepfake videos, and produce and distribute a variety of illegal content in cyberspace. According to Microsoft, this was an organized campaign that directly exploited generative AI services for profit and seriously violated privacy.
The individuals identified as being involved include Arian Yadegarnia (Iran, nicknamed “Fiz”), Alan Krysiak (United Kingdom, nickname “Drago” ), Ricky Yuen (Hong Kong, nicked “cg – dot”) and Phung Tan (Vietnam, nick named “Asakuri”). These are believed to be key members of the global cybercriminal group Storm-2139.
According to Microsoft’s analysis, Storm-2139 took advantage of leaked login information from public sources to illegally access user accounts on several generative AI platforms. After the hack, the group intervenes into the service function, revising the way it operates and then reselling access rights to third parties. Not only that, they provide detailed instructions to customers on how to use these tools to create dangerous content, including sensitive images without the consent of celebrities, and illegal pornography.
The investigation revealed that Storm-2139 operated in a hierarchical pattern of three main groups. The “creative” team is responsible for developing tools for the abuse of generative AI. The “supply” group is responsible for regulating, maintaining, and distributing illegal tools to the underground market. Finally, the “users” group are individuals who directly use these tools to create content that violates Microsoft’s policy, which focuses primarily on pornography and deepfake of celebrities.
In response to this threat, Microsoft filed a lawsuit in the Eastern District Court of Virginia in December 2024 to gather more information and disrupt Storm-2139’s operations. After the suit was accepted, the court issued a temporary restriction and preliminary injunction, allowing Microsoft to seize a key site in the group’s infrastructure. This move caused Storm-2139 members to become suspicious of each other, even emailing Microsoft’s legal team to interject blame for malicious activities.
In addition, Microsoft identified two more individuals in the United States, Illinois and Florida, but have not yet been identified to avoid interference with criminal investigations. The company said it is preparing to transfer all the records to law enforcement agencies in the U.S. and related countries, in order to continue handling the case in accordance with law.
