ACTIRIntelligence that never sleeps.
A dedicated counterintelligence unit of threat hunters and data scientists operating around the world. Their mandate: find what’s coming before it reaches your platform.
Research that flows directly into defense
ACTIR intelligence doesn’t sit in a PDF. Every new attack pattern, fraud technique, and attacker profile discovered by the team flows directly into platform rules, challenge adaptations, and SOC enforcement.
What the data reveals about modern attackers
Original research from ACTIR, published quarterly. The numbers behind how fraud operates — attacker economics, scaling tactics, and emerging AI threats.
Original intelligence from ACTIR
Published quarterly and on-demand. Written by threat researchers, for security leaders.
Agentic AI Security Report
The gap between corporate readiness and the agentic AI threat. Surveyed 300 security leaders across Fortune 500 enterprises and global financial institutions.
Enterprises Under Attack
Dramatic shift in fraudster tactics. Larger-scale, precision-driven attacks. Foundational threats like fake accounts remain relentless. With benchmarks across industries.
Threat Actor Behavior
A year of scammer behavior data. How they operate, what they earn, where they come from, and how AI tools are turning attacks into scalable businesses.
Storm-1152. Taken down.
ACTIR partnered with Microsoft to dismantle one of the largest and most notorious cybercrime-as-a-service operations ever identified. Storm-1152 built and sold fake Microsoft accounts and tools to bypass identity verification — enabling fraud at industrial scale across hundreds of platforms.
ACTIR provided the threat intelligence. Microsoft took the legal action. The result: 750 million fake accounts disrupted and a major CaaS supply chain permanently dismantled.
Read the full story ›How ACTIR operates
Seasoned threat researchers and data scientists. A sun-never-sets operating model. Four core disciplines that cover the full intelligence lifecycle.
Threat Hunting
Proactive identification of emerging attack patterns, fraud toolkits, and attacker infrastructure — before campaigns reach scale.
Risk Intelligence
Quantifying attacker economics, fraud-as-a-service pricing, and campaign ROI — turning behavior data into actionable intelligence.
Disarmament
Active disruption of threat actor infrastructure and operations — through platform enforcement, legal partnerships, and coordinated takedowns.
Virtual Enforcement
Converting research into real-time platform rules, challenge adaptations, and detection signatures that enforce against newly discovered threats.
A common language for modern cybercrime
Built for two specific classes of threat: volumetric and automated (malicious bots) and low-and-slow (human fraud farms). The framework ACTIR uses to brief customers, governments and partners.
- 01Create a coherent vocabulary that enables understanding of various cyber menaces.
- 02Stimulate and simplify knowledge sharing within the threat intelligence community.
- 03Advance the effectiveness of threat intelligence analysis.
- 04Inform proper countermeasures and aid in meaningful comparison of corrective strategies.
- 05Facilitate clear communication with the broader world.
Five dimensions to articulate every threat
Every active threat ACTIR tracks can be located on this five-row grid — motivation, business model, delivery, attack type, attacker profile.
A shadow economy with four go-to-markets
Over the years a robust cybercrime economy has emerged, shadowing the legitimate global economy. ACTIR identifies four “business models” — plus Nation State as a non-revenue model focused on disruption.
Cybercrime-as-a-Service
A fully outsourced entity generating revenue from bad actors via subscription. Attacker-to-attacker model whose founders are entrepreneurial. Credential stuffing platforms, Phishing-as-a-Service, CAPTCHA solvers, fraud farm services.
Direct Attack Model
Cybercriminals who buy CaaS subscriptions and use the platforms to design and deploy their own automated attacks. Popular because it dramatically reduces an attacker’s time-to-attack.
Proprietary Attack Tech
Vertically integrated cybercriminal enterprises building a dynasty. Own tooling, own attacks and/or fraud farms, and often sell CaaS subscriptions on the side — monetizing both attack and toolkit.
Nation State Model
Not revenue-driven. Influence elections, take down critical infrastructure, disrupt NGOs and cause chaos, gain national secrets through espionage. ACTIR tracks but does not center on this model.
A naming system rooted in rock formations
Threat actor names are aligned to rock formations — the same earth-and-stone naming convention that gives Arkose Labs its name (“arkose” is itself a type of sedimentary rock). Each adversary is paired with an adjective that reflects a behavioral pattern, so security professionals know what they’re up against the moment they read the two-word name.
Outsourced platforms. Entrepreneurial founders. Subscribers buy in.
CaaS subscribers running automated attacks against enterprises.
Vertically integrated dynasties — own tooling, own attacks, own sales.
Disruption, influence, espionage — not revenue.
ACTIR first observed the threat actor group Boomerang Marble two years ago and shut it down. A determined group, it has returned with a whole new set of tactics — hence the name.
A shared language for security teams
The vocabulary security teams use to act fast and communicate clearly across attack types, profiles, and business models.
Credential Stuffing
Automated large-scale login attacks using breached username/password pairs against authentication endpoints.
Fake Account Creation
Bot-driven mass registration of synthetic identities to abuse promotions, commit fraud, or seed platforms.
AiTM Phishing
Adversary-in-the-middle reverse-proxy attacks that intercept MFA tokens and bypass authentication in real time.
Fraud Farms
Organized human-operated fraud networks that scale attacks with cheap labor, often across multiple geographies.
AI Agents
Autonomous LLM-powered bots that mimic legitimate user behavior, making detection by traditional methods unreliable.
Crime-as-a-Service
Platforms selling attack tools, fake accounts, and solver services — enabling non-technical actors to run sophisticated campaigns.
Recent News
ACTIR research consistently surfaces in mainstream cybersecurity reporting. A selection of recent coverage.
Storm-1152: A Continuing Battle Against Cybercrime
Joint disruption activity update covering 2024-2025 evolution of the Storm-1152 ecosystem.
// The RegisterCybercrime operation that sold millions of fraudulent Microsoft accounts disrupted
Coverage of legal proceedings and indictments tied to the Storm-1152 disruption.
// CyberScoopMicrosoft cracks down on group operating 'cybercrime-as-a-service'
Analysis of the cybercrime-as-a-service business model that Storm-1152 pioneered.
// SC MagazineDisrupting credentials marketplace, gift-card fraud, OAuth abuse
Technical breakdown of how ACTIR identified the OAuth abuse patterns.
// Dark ReadingMicrosoft disrupts cybercrime group behind 750M+ fake accounts
Industry impact assessment from one of the largest disruptions on record.
Stay ahead of what’s coming.
ACTIR research. Quarterly threat reports. Direct from the team tracking the world’s most sophisticated fraud operations.
