Vietnam’s massive CAPTCHA crackers against Microsoft DCU


Earlier this month, Microsoft’s digital crimes unit was featured in a WIRED article by Lily Hay Newman: Microsoft’s digital crime unit is taking an in-depth look at how it disrupts cybercrime. The article discusses in part MS-DCU’s case against hackers they call Storm-1152. According to DCU, Storm-1152 used his CAPTCHA hacking abilities to help other criminals mass create Microsoft email accounts, such as Hotmail and Outlook accounts. How much? How about 750 MILLION email accounts created for illicit purposes! In their announcement regarding storm-1152, DCU’s Amy Hogan-Burney discusses several of the websites run by the group, including Hotmailbox(.)me, 1stCAPTCHA(.)com, AnyCAPTCHA(.)com, and NoneCAPTCHA(.)com. (I don’t know about NoneCAPTCHA, but it seems like it’s just a redirect domain to 1stCAPTCHA.) Amy shares that the group is based in Vietnam and names three of its operators: Duong Dinh Tu, Linh Van Nguyễn (also known as NoneCAPTCHA). Nguyễn Van Linh) and Tai Van Nguyen.




Sample code is still on github that illustrates how these massive CAPTCHA solvers were used. For example, “CuongPhan1408” has a 1stCaptcha written in GoLang and shows examples in his code of resolving Discord account creations using “HCaptchaTaskProxyless” and using “FunCaptchaTaskProxyless” to defeat Microsoft live signups. FunCaptcha is the tool created by Arkose Labs and currently used by Microsoft to confirm that emails are only created by humans.

Github user HecTran12 shares code that links to the 1stcaptcha(.)com website, now seized by Microsoft, which previously could be installed with “pip install 1stcaptcha.” HecTran12’s FunCaptcha example resolves Outlook(.)com captchas to create new Outlook accounts.

Github user “Xtekky” shares his AnyCaptcha(.)com based code called “Outlook Gen”, which is a Python code that links to Microsoft’s seized website “AnyCaptcha(.)com” to create Outlook accounts in volume. The code has 45 stars and 15 forks on Github.

Clearly, the USERS of Outlook Gen, based on the forks, included many people from many parts of the world. XTekky offers many interesting tools on its Telegram and Discord channels, including “tools” for creating views and likes on TikTok using bots. He demonstrates this by sharing a “Why so many likes?” video on his TikTok which has been liked 912,400 times. It depends on its TikTok Slider CAPTCHA Solver, which he claims has 100% accuracy in beating TikTok captcha. XTekky also has a Discord “Question-Based” CAPTCHA Solverwhich uses OpenAI’s ChatGPT to resolve questions and provide answers.

With three major CAPTCHA solving tools removed by Microsoft, what’s replacing them? Based on review of new features and forks from Github users who liked old projects, it appears to be based in Russia”AntiCaptchaOfficial” is the likely leader. It claims to solve images with text, Recaptcha v2/v3 Enterprise or non-Enterprise, Funcaptcha Arcoselabs, GeeTest, and hCaptcha Enterprise or non-Enterprise, and currently charges average rates of $0.0005 per CAPTCHA resolved. That would be 2,000 account creations per dollar.

Microsoft thanks Arkose Labs for its help in investigating the Storm-1152 case, but according to the statistics page on “anti-Captcha(.)com”, their site is currently decrypting over 10,000 CAPTCHAs of Arkose Labs per minute. Only reCAPTCHA v2 has more cracks per minute (currently more than 19,000). Arkose should be happy to know that this is one of the most expensive CAPTCHAs to solve. Anti-Captcha currently charges $3 per 1000. Their website claims to help underprivileged workers around the world.

“With your help, they now have the choice between working in toxic conditions in a factory or on a computer.”

Their stories don’t seem to say, “Rather than working in a toxic factory, I help cybercriminals commit fraud and theft by creating fake accounts on Outlook, Google, TikTok, Discord and more.” »

Leave a comment