Microsoft has named multiple threat actors part of a cybercrime gang accused of developing malicious tools capable of bypassing generative AI guardrails to generate celebrity deepfakes and other illicit content.
An updated complaint identifies the individuals as Arian Yadegarnia from Iran (aka ‘Fiz’), Alan Krysiak of the United Kingdom (aka ‘Drago’), Ricky Yuen from Hong Kong, China (aka ‘cg-dot’), and Phát Phùng Tấn of Vietnam (aka ‘Asakuri’).
As the company explained today, these threat actors are key members of a global cybercrime gang that it tracks as Storm-2139.
“Members of Storm-2139 exploited exposed customer credentials scraped from public sources to unlawfully access accounts with certain generative AI services,” said Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit.
“They then altered the capabilities of these services and resold access to other malicious actors, providing detailed instructions on how to generate harmful and illicit content, including non-consensual intimate images of celebrities and other sexually explicit content.”
Microsoft found during the investigation that the Storm-2139 crime network is organized into three categories: creators, providers, and users.
Creators developed the tools that facilitated the misuse of AI-generated services, while providers adapted and distributed these illicit tools to end users who employed them to generate content violating Microsoft’s Acceptable Use Policy and Code of Conduct, which was frequently focused on sexual imagery and celebrities.
Today’s update follows the company’s lawsuit filed in the Eastern District of Virginia in December 2024 to collect more information on the cybercrime ring’s operations.
A temporary restraining order and preliminary injunction issued after the initial filing allowed Microsoft to disrupt the group’s ability to use its services illegally by seizing a key website part of the criminal ring’s infrastructure.
Microsoft added that the seizure caused Storm-2139 members to turn on each other and speculate about who the “John Does” in the filings were. Microsoft’s legal team also received multiple emails, including from several suspected members of Storm-2139 who blamed others in the operation for the malicious activity.
“We are pursuing this legal action now against identified defendants to stop their conduct, to continue to dismantle their illicit operation, and to deter others intent on weaponizing our AI technology,” Masada added today.
“While we have identified two actors located in the United States—specifically, in Illinois and Florida—those identities remain undisclosed to avoid interfering with potential criminal investigations. Microsoft is preparing criminal referrals to United States and foreign law enforcement representatives. “