Recently, Microsoft has exposed a sophisticated
cybercrime network accused of hijacking AI services to create and distribute
harmful content. Known as LLMjacking, this
operation involved unauthorized access to generative AI tools—including Microsoft's
Azure OpenAI Service—to bypass safety protocols and generate offensive
material.
Microsoft has been tracking this
cybercriminal syndicate under the codename Storm-2139 and has now identified
four key individuals allegedly at the heart of the scheme:
🔹 Arian
Yadegarnia ("Fiz") – Iran
🔹 Alan Krysiak ("Drago") – United Kingdom
🔹 Ricky Yuen ("cg-dot") – Hong Kong, China
🔹 Phát Phùng Tấn ("Asakuri") – Vietnam
How the
Attack Worked
According
to Steven Masada, assistant general counsel for Microsoft's Digital Crimes Unit
(DCU), Storm-2139 members scraped customer credentials from public sources to
infiltrate AI-powered platforms. They then manipulated these services,
reselling unauthorized access to cybercriminals and offering step-by-step
guides on how to generate harmful and illicit content.
What was their aim? To override
AI safety controls and mass-produce illegal synthetic content, including non-consensual
deepfake images of celebrities and explicit material.
A Major
Crackdown
Microsoft
isn't just exposing these actors—it’s taking legal action. The company has
already obtained a court order to seize a key website,
"aitism[.]net," which played a pivotal role in Storm-2139’s criminal
enterprise.
A
Criminal Hierarchy
Storm-2139
operates in a structured three-tier system:
🔹 Creators
– The masterminds who build illicit AI-abuse tools.
🔹 Providers – Individuals who modify and sell these tools
at various price points.
🔹 End Users – Customers who use the tools to generate
content violating Microsoft’s Acceptable Use Policy and Code of Conduct.
Microsoft
has also flagged two additional actors based in the United
States, whose
names are being withheld pending potential criminal investigations. But that’s
not all—the company has identified more than a dozen other individuals
worldwide involved in this cyber scheme, including:
🔹 John
Doe (DOE 2) – Likely in the U.S.
🔹 John Doe (DOE 3) ("Sekrit") – Austria
🔹 "Pepsi" – United States
🔹 "Pebble" – United States
🔹 "Dazz" – United Kingdom
🔹 "Jorge" – United States
🔹 "Jawajawaable" – Turkey
🔹 "1phlgm" – Russia
🔹 John Doe (DOE 8) – Argentina
🔹 John Doe (DOE 9) – Paraguay
🔹 John Doe (DOE 10) – Denmark
Fighting
Back Against AI Misuse
Microsoft
warns that AI-driven cybercrime is on the rise, requiring relentless
monitoring and enforcement.
"Going
after malicious actors requires persistence and ongoing vigilance," Masada
emphasized. "By unmasking these individuals and shining a light on
their malicious activities, Microsoft aims to set a precedent in the fight
against AI technology misuse."
With
cybercriminals evolving their tactics, the battle to protect AI services is far
from over. Microsoft’s crackdown on Storm-2139 sends a clear message: AI abuse
won’t go unchecked.
Here are Pyralink we are ready to help
your organization secure it defense against such cybercriminals. Get in touch
with us now so that we can secure your AI assets.
