Microsoft has identified an international cybercriminal network that was able to bypass the protections of generative AI services to create malicious content, including sensitive celebrity photos and other pornography.

Hackers collected service credentials from public sources and used them to access generative AI services, including Microsoft's Azure OpenAI.

They then modify the capabilities of the AI ​​products and sell access to other criminal gangs, instructing them on how to create malicious content.

hacker d3sign/Moment RF
Microsoft publicly revealed 4 hackers selling tools to "overcome" the AI ​​service. Photo: d3sign/Moment RF

According to Microsoft, these individuals are: Arian Yadegarnia (alias Fiz) from Iran, Alan Krysiak (Drago) from the UK, Ricky Yuen (cg-dot) from Hong Kong (China) and Phat Phung Tan (Asakuri) from Vietnam.

All four are accused of belonging to the Storm-2139 cybercrime network. Two other individuals are from the United States, but Microsoft has not disclosed their identities to protect the investigation.

Microsoft says Storm-2139 is organized into three main groups: creators, vendors, and end users. Creators create illegal tools to abuse the generative AI service; vendors then modify and offer them to end users at different prices and services; and finally, users use the tools to create malicious content, often revolving around porn stars and images.

The information was released by Microsoft as concerns grow about the misuse of generative AI to create fake images of both celebrities and ordinary people, as well as child pornography.

Companies like Microsoft and OpenAI ban these practices and take technical measures to prevent them, but hacker groups like the one above still find ways to “get around the rules.”

According to Steven Masada, assistant general counsel of Microsoft's Digital Crimes Unit (DCU), they recognize the serious and lasting impact that abusive imagery has on victims.

The company is committed to protecting users by embedding AI safety measures in the platform and protecting the service against illegal and harmful content.

In December 2024, DCU filed a lawsuit in the Eastern District of Virginia (USA) against 10 unidentified individuals who engaged in activities that violated US law and Microsoft policies.

The court issued a temporary restraining order and a preliminary injunction, allowing Microsoft to seize a website used for criminal activity, disrupting the group's ability to operate.

Notably, after this action, some members suspected of belonging to Storm-2139 emailed Microsoft advisors and blamed each other.

“This response underscores the impact of Microsoft’s legal actions and demonstrates how measures can effectively disrupt cybercriminal networks by seizing infrastructure and creating a strong deterrent effect on members,” Microsoft wrote in a blog post on February 27.

(According to Microsoft, Bloomberg)