Microsoft said a Vietnamese cybercrime group cracked their CAPTCHA process

A U.S. court allowed Microsoft to seize several websites it said belonged to a Vietnamese operation that allegedly sold hundreds of millions of fake Microsoft accounts, an unusual step in the ongoing fight against online fraud and cybercrime.

Microsoft said in a blog post on Wednesday that the group operated at least four websites that were seized.

One site tied to the operation, Hotmailbox, was a popular source to buy fake Hotmail accounts, a service owned by Microsoft, in bulk. Microsoft said Hotmailbox frequently sold those to cybercriminals.

Microsoft’s decision to sue for custody of the site was in large part motivated by its inability to figure out how the scheme’s operators were so good at automating the CAPTCHA process, which is designed to stop automated bots from repeatedly making new accounts, according to Amy Hogan-Burney, head of Microsoft’s digital crimes unit.

“They are using tools that allow them to defeat CAPTCHA at scale. They are able to create a high volume of accounts that can appear to be, for a period of time, legitimate,” Hogan-Burney said in a video interview.

The alleged fraudsters behind the operation have figured out a way to make “a bot that actually solves the puzzle,” and sold around 750 million fake accounts, she said.

“I really want that discovery,” Hogan-Burney said. “I want to know what’s going on here, because that’ll actually make our products and services better.”

Microsoft has spent tens of millions of dollars fighting bots from abusing its service and trying to ensure only humans can create new accounts, it said in the complaint, filed Dec. 7 in the Southern District of New York federal court.

Before the order was unsealed, the Hotmailbox site, viewed by NBC News, offered thousands of email accounts for sale in bulk, often for a fraction of a cent each. It accepted payment in cryptocurrency, via the Russian online payment system WedMoney, or via Vietcombank, a major Vietnam bank. The site is now replaced with a message from Microsoft that begins “This Domain has been seized by Microsoft.”

Among Hotmailbox’s many customers is a loose community of cybercriminals whose members include the handful of young men who initially hacked two major Las Vegas casinos and resorts, MGM Resorts and Caesars Entertainment, in September, Microsoft’s complaint said.

Hotmailbox had used the San Francisco company Cloudflare as its transit provider. Two other web hosting companies hosted the operation’s web infrastructure. The order instructing the companies to surrender the website was unsealed on Wednesday.

A Cloudflare spokesperson said in an emailed statement: “We are pleased to have been able to help Microsoft disrupt potential cybercrime activities.” It’s not known when Cloudflare first became aware of the website and its offerings.

Microsoft also named three Vietnamese nationals in its suit who it says ran the operation. None of them responded to emailed requests for comment. A spokesperson for Vietnam’s Ministry of Foreign Affairs didn’t respond to a request for comment.

The U.S. court system has previously facilitated Microsoft’s takeover of fraudulent sites. In 2020, Microsoft seized domains related to Covid-19 cybercrime, and in 2021 it seized websites belonging to a Chinese hacking group.

CORRECTION (Dec. 18 2023, 1:00 p.m. ET): A previous version of this article misstated the working relationship between Cloudflare and Hotmailbox. Cloudflare was its transit provider, not web hosting provider.