Cybercrime Group in Vietnam Enables Massive Fraudulent Signups

A wave of fraudulent account registrations to a cybercrime ecosystem operating out of Vietnam.

These fake accounts are not just spam; they underpin large-scale financial fraud, phishing, and interpersonal scams that erode trust in online platforms.

Attackers scripted mass “puppet” signups on victim services, triggered SMS messages to premium-rate numbers, and then monetized the telecom charges. This is especially costly for organizations that use SMS for account verification or MFA codes.

In late 2025, Okta tracked a cluster dubbed O-UNC-036 abusing disposable email domains to run SMS pumping, also known as International Revenue Sharing Fraud (IRSF).

During this investigation, Okta uncovered links from O-UNC-036 to dozens of “cybercrime‑as‑a‑service” (CaaS) websites hosted in Vietnam.

Large-scale digital fraud operation

These sites sell hijacked or automatically created accounts, infrastructure for automation, and tools to evade detection, lowering the technical barrier for would‑be fraudsters.

Our insight into the fraudulent activity started with a set of disposable email domains used by O-UNC-036.

Marketplaces such as Via17[.]com resell social media accounts at scale, including Vietnamese Facebook profiles with friends and two-factor authentication enabled for a few dollars each.

Fraudulent accounts are then reused for spam, phishing, review manipulation, sniping limited products like concert tickets, and abusing free trials, steadily degrading the user experience on targeted platforms.

A core enabler is the MMO (“Make Money Online”) web design ecosystem centered on CMSNT[.]co, a Vietnam-based company selling templates for digital account shops and social media boosting services.

Templates commonly advertise account inventories across email providers, gaming platforms, social networks, and even AI tools, while Social Media Marketing Panel templates claim to use “AI technology” to simulate real user behavior without passwords.

Via17[.]com sells session tokens (also referred to as “cookies”) as part of some fake account offerings.

Although CMSNT[.]co itself is not proven to sell stolen accounts, leaked source code for its templates has been reused by third parties to operate illicit marketplaces.

Disposable emails and session tokens

According to Okta’s analysis, some accounts appear to come from brute-force attacks or logs stolen by infostealer malware that capture credentials, card data, and crypto wallets from infected devices.

A section of the front page of the site advertises Facebook accounts that have Thai or “foreign” names that are linked to disposable email addresses from a service called mailclone[.]site.

Via17[.]com and similar shops bundle credentials with recovery email addresses, 2FA access, and session tokens (“cookies”) that allow buyers to hijack sessions without knowing the actual password.​

Disposable email services like mailclone[.]site and temp-mail[.]io play a key role in scaling registrations, providing short-lived inboxes that exist just long enough to receive verification codes.

Okta observed suspicious spikes in signups from clusters of such domains, then traced them back to a web of Vietnam-hosted storefronts selling accounts and automation.

For defenders, blocking fraudulent registrations requires balancing security against user friction, recognizing that some customers legitimately rely on email masking or forwarding.

Okta recommends combining IP reputation, behavioral analysis, disposable-domain blocklists, and automated workflows to detect and deactivate large batches of fake accounts before they can be weaponized.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.