Microsoft has revealed the identities of developers involved in a scheme to create and distribute malicious AI tools used for generating celebrity deepfakes. According to a legal filing released Thursday, four foreign and two U.S. developers illegally accessed and modified generative AI services, including Microsoft’s Azure OpenAI services, to produce harmful content.
The lawsuit, originally filed in December in a Virginia federal court and unsealed in January, details how the developers reconfigured these AI tools to create “non-consensual intimate images of celebrities and other sexually explicit content.” Microsoft has chosen not to disclose the names of the celebrities involved to protect their privacy. In a published blog post, the company stated that it also “excluded synthetic imagery and prompts from our filings to prevent the further circulation of harmful content.”
The developers are reportedly part of a “global cybercrime network” identified by Microsoft as Storm-2139. Of the six individuals named, two U.S.-based developers are located in Illinois and Florida; their names have been withheld due to ongoing criminal investigations. The four foreign developers are Arian Yadegarnia (Iran), Alan Krysiak (UK), Ricky Yuen (Hong Kong), and Phát Phùng Tấn (Vietnam).
Microsoft is preparing criminal referrals to law enforcement agencies in the U.S. and internationally. The report indicates that Storm-2139 gained access to the AI services through “exploited exposed customer credentials scraped from public sources.”
Following Microsoft’s initial filing, the court issued a temporary restraining order and preliminary injunction, leading to the seizure of a website linked to Storm-2139. Microsoft’s Digital Crimes Unit’s Assistant General Counsel, Steven Masada, noted that the seizure “generated an immediate reaction from actors, in some cases causing group members to turn on and point fingers at one another.”
As details of the lawsuit became more widely known, participants in the cybercrime network doxed Microsoft lawyers, sharing their personal information and photographs. However, this action ultimately backfired. Some suspected members of Storm-2139 contacted Microsoft, attempting to shift blame to other group members.
The six individuals mentioned in the blog post are among 10 “John Does” listed in the original complaint, Microsoft said.
