After Bots — a new book by our founder on classifying AI agents. Now available

Get Your Free Copy
Why Arkose
Platform
Solutions
Agentic AIPartners
Resources
Company
🔍
Talk to our Experts
// ARKOSE LABS RESEARCH

ACTIRIntelligence that never sleeps.

Arkose Cyber Threat Intelligence Research

A dedicated counterintelligence unit of threat hunters and data scientists operating around the world. Their mandate: find what’s coming before it reaches your platform.

◍ Threat Hunting⧈ Risk Intelligence☠ Disarmament⚡ Virtual Enforcement
Download 2026 AI Report View all research
// Sun-never-sets coverage
// HOW ACTIR WORKS

Research that flows directly into defense

ACTIR intelligence doesn’t sit in a PDF. Every new attack pattern, fraud technique, and attacker profile discovered by the team flows directly into platform rules, challenge adaptations, and SOC enforcement.

Threat hunters find it first
ACTIR researchers monitor attacker forums, track fraud-as-a-service platforms, and reverse-engineer new attack toolkits before they reach scale.
SOC converts research into rules
New signatures, detection rules, and challenge adaptations are deployed to the platform within hours of a discovery — not days or release cycles.
Every customer is protected instantly
New patterns propagate across the Global Intelligence Network in real time. When a new attack hits one customer, all customers are protected within minutes.
Attack data enriches the next cycle
Every blocked attack generates new attacker telemetry — feeding back into ACTIR research and continuously strengthening the platform’s intelligence.
// ACTIR INTELLIGENCE — KEY FINDINGS

What the data reveals about modern attackers

Original research from ACTIR, published quarterly. The numbers behind how fraud operates — attacker economics, scaling tactics, and emerging AI threats.

20%
Surge in malicious traffic from Q1 to Q2 2025 — attackers scaling operations faster than ever across industries.
// Enterprises Under Attack · Q3 2025
36%
Of all attacks now use automation services — up from 31% in a single quarter as orchestrated threats become more accessible.
// Enterprises Under Attack · Q3 2025
$145K
Average annual earnings for a single bad actor targeting just five gaming platforms with account takeover scams.
// Threat Actor Behavior Analysis · 2025
309%
Spike in sign-up attacks as fraudsters industrialize fake account creation using AI-powered tools at scale.
// Threat Actor Behavior Analysis · 2025
97%
Of enterprise leaders expect a material AI-agent-driven security or fraud incident within the next 12 months.
// Agentic AI Security Report · 2026
6%
Of defense budgets currently allocated to agentic AI threats — despite 97% expecting an imminent incident.
// Agentic AI Security Report · 2026
12%
Growth in average attack size — more attacks, bigger attacks, more aggressive scale than any prior period.
// Enterprises Under Attack · Q3 2025
750M
Fake accounts disrupted through ACTIR’s collaboration with Microsoft in the Storm-1152 takedown operation.
// Storm-1152 · Operation Report
// CLASSIFIED
STORM-1152
CYBERCRIME-AS-A-SERVICE · DISMANTLED
750M+ ACCOUNTS·MS JOINT OP
// CASE STUDYStorm-1152: Disruption of Cybercrime-as-a-ServiceMicrosoft + ACTIR jointly disrupted Storm-1152, an Egypt-based operation that sold 750M+ fraudulent Microsoft accounts to ransomware crews and phishing kits.
// THREAT ACTOR
GREASY OPAL
CAPTCHA SOLVER COLLECTIVE · ACTIVE
CZ ORIGIN·18M TRACKING
// THREAT ACTOR DOSSIERGreasy OpalA Czech-based developer collective behind the most prolific CAPTCHA-solving toolchain seen in the wild. ACTIR tracked their tooling through 18 months of evolution.
// FEATURED RESEARCH

Original intelligence from ACTIR

Published quarterly and on-demand. Written by threat researchers, for security leaders.

NEW · 2026

Agentic AI Security Report

97%
of enterprise leaders expect an imminent large-scale agentic AI incident

The gap between corporate readiness and the agentic AI threat. Surveyed 300 security leaders across Fortune 500 enterprises and global financial institutions.

Download Report ›MARCH 2026
QUARTERLY · Q4 2025

Enterprises Under Attack

20%
surge in malicious traffic — SMS toll fraud explosion and precision-targeted attacks

Dramatic shift in fraudster tactics. Larger-scale, precision-driven attacks. Foundational threats like fake accounts remain relentless. With benchmarks across industries.

Download Report ›DEC 2025
ANALYSIS · 2025

Threat Actor Behavior

$145K
avg annual earnings for a single attacker — the economics of cybercrime exposed

A year of scammer behavior data. How they operate, what they earn, where they come from, and how AI tools are turning attacks into scalable businesses.

Download Report ›JUNE 2025
★ ACTIR OPERATION

Storm-1152. Taken down.

ACTIR partnered with Microsoft to dismantle one of the largest and most notorious cybercrime-as-a-service operations ever identified. Storm-1152 built and sold fake Microsoft accounts and tools to bypass identity verification — enabling fraud at industrial scale across hundreds of platforms.

ACTIR provided the threat intelligence. Microsoft took the legal action. The result: 750 million fake accounts disrupted and a major CaaS supply chain permanently dismantled.

Read the full story
750M
Fake accounts disrupted
CaaS
Criminal supply chain dismantled
Legal
Action coordinated with Microsoft
MS
Microsoft Partnership
ACTIR provided threat intelligence enabling Microsoft’s Digital Crimes Unit to take civil and criminal legal action against Storm-1152 operators.
ACTIR
Counterintelligence Unit
Threat hunters tracked Storm-1152’s infrastructure, tooling, and operator profiles — building the intelligence case that made the takedown possible.
// RESEARCH METHODOLOGY

How ACTIR operates

Seasoned threat researchers and data scientists. A sun-never-sets operating model. Four core disciplines that cover the full intelligence lifecycle.

Threat Hunting

Proactive identification of emerging attack patterns, fraud toolkits, and attacker infrastructure — before campaigns reach scale.

Risk Intelligence

Quantifying attacker economics, fraud-as-a-service pricing, and campaign ROI — turning behavior data into actionable intelligence.

Disarmament

Active disruption of threat actor infrastructure and operations — through platform enforcement, legal partnerships, and coordinated takedowns.

Virtual Enforcement

Converting research into real-time platform rules, challenge adaptations, and detection signatures that enforce against newly discovered threats.

// THREAT RESEARCH TAXONOMY

A common language for modern cybercrime

Built for two specific classes of threat: volumetric and automated (malicious bots) and low-and-slow (human fraud farms). The framework ACTIR uses to brief customers, governments and partners.

// FIVE GOALS OF A THREAT RESEARCH TAXONOMY
  1. 01Create a coherent vocabulary that enables understanding of various cyber menaces.
  2. 02Stimulate and simplify knowledge sharing within the threat intelligence community.
  3. 03Advance the effectiveness of threat intelligence analysis.
  4. 04Inform proper countermeasures and aid in meaningful comparison of corrective strategies.
  5. 05Facilitate clear communication with the broader world.
// THE TAXONOMY FRAMEWORK

Five dimensions to articulate every threat

Every active threat ACTIR tracks can be located on this five-row grid — motivation, business model, delivery, attack type, attacker profile.

Motivation
Financial TheftThrill / EgoPoliticalDisinformationCorporate Espionage
Business Model
Cybercrime-as-a-ServiceDirect AttackProprietary Attack TechNation State
Attack Delivery
Advanced BotsBasic BotsHuman Fraud FarmsMobile Device FarmsHybrid
Attack Type
Account TakeoverCredential StuffingFake New AccountPaymentAccount ManagementSMS Toll FraudMITM / Adv. PhishingAPI AbuseScrapingCard TestingLoyalty Point TheftLLM Platform Abuse
Attacker Profile
AmateurProfessionalMaverick
// FOUR CYBERCRIME BUSINESS MODELS

A shadow economy with four go-to-markets

Over the years a robust cybercrime economy has emerged, shadowing the legitimate global economy. ACTIR identifies four “business models” — plus Nation State as a non-revenue model focused on disruption.

01
CAAS

Cybercrime-as-a-Service

A fully outsourced entity generating revenue from bad actors via subscription. Attacker-to-attacker model whose founders are entrepreneurial. Credential stuffing platforms, Phishing-as-a-Service, CAPTCHA solvers, fraud farm services.

02
DIRECT ATTACK

Direct Attack Model

Cybercriminals who buy CaaS subscriptions and use the platforms to design and deploy their own automated attacks. Popular because it dramatically reduces an attacker’s time-to-attack.

03
PROPRIETARY

Proprietary Attack Tech

Vertically integrated cybercriminal enterprises building a dynasty. Own tooling, own attacks and/or fraud farms, and often sell CaaS subscriptions on the side — monetizing both attack and toolkit.

04
NATION STATE

Nation State Model

Not revenue-driven. Influence elections, take down critical infrastructure, disrupt NGOs and cause chaos, gain national secrets through espionage. ACTIR tracks but does not center on this model.

// THREAT ACTOR NAMING CONVENTION

A naming system rooted in rock formations

Threat actor names are aligned to rock formations — the same earth-and-stone naming convention that gives Arkose Labs its name (“arkose” is itself a type of sedimentary rock). Each adversary is paired with an adjective that reflects a behavioral pattern, so security professionals know what they’re up against the moment they read the two-word name.

MARBLE
// Cybercrime-as-a-Service

Outsourced platforms. Entrepreneurial founders. Subscribers buy in.

SHALE
// Direct Attack

CaaS subscribers running automated attacks against enterprises.

IRONSTONE
// Proprietary Attack Tech

Vertically integrated dynasties — own tooling, own attacks, own sales.

BASALT
// Nation State

Disruption, influence, espionage — not revenue.

// EXAMPLE
Boomerang Marble

ACTIR first observed the threat actor group Boomerang Marble two years ago and shut it down. A determined group, it has returned with a whole new set of tactics — hence the name.

// ACTIR THREAT TAXONOMY · KEY ATTACK CATEGORIES

A shared language for security teams

The vocabulary security teams use to act fast and communicate clearly across attack types, profiles, and business models.

// ATTACK TYPE

Credential Stuffing

Automated large-scale login attacks using breached username/password pairs against authentication endpoints.

// ATTACK TYPE

Fake Account Creation

Bot-driven mass registration of synthetic identities to abuse promotions, commit fraud, or seed platforms.

// ATTACK TYPE

AiTM Phishing

Adversary-in-the-middle reverse-proxy attacks that intercept MFA tokens and bypass authentication in real time.

// ATTACKER PROFILE

Fraud Farms

Organized human-operated fraud networks that scale attacks with cheap labor, often across multiple geographies.

// ATTACKER PROFILE

AI Agents

Autonomous LLM-powered bots that mimic legitimate user behavior, making detection by traditional methods unreliable.

// BUSINESS MODEL

Crime-as-a-Service

Platforms selling attack tools, fake accounts, and solver services — enabling non-technical actors to run sophisticated campaigns.

// IN THE PRESS

Recent News

ACTIR research consistently surfaces in mainstream cybersecurity reporting. A selection of recent coverage.

// Microsoft + ACTIR

Storm-1152: A Continuing Battle Against Cybercrime

Joint disruption activity update covering 2024-2025 evolution of the Storm-1152 ecosystem.

// The Register

Cybercrime operation that sold millions of fraudulent Microsoft accounts disrupted

Coverage of legal proceedings and indictments tied to the Storm-1152 disruption.

// CyberScoop

Microsoft cracks down on group operating 'cybercrime-as-a-service'

Analysis of the cybercrime-as-a-service business model that Storm-1152 pioneered.

// SC Magazine

Disrupting credentials marketplace, gift-card fraud, OAuth abuse

Technical breakdown of how ACTIR identified the OAuth abuse patterns.

// Dark Reading

Microsoft disrupts cybercrime group behind 750M+ fake accounts

Industry impact assessment from one of the largest disruptions on record.

// GET THE INTELLIGENCE

Stay ahead of what’s coming.

ACTIR research. Quarterly threat reports. Direct from the team tracking the world’s most sophisticated fraud operations.

Engage the ACTIR Unit Subscribe to research

Stopping bots, AI agents, and fraud before they reach your users.

PLATFORM

Arkose TitanAgent Trust ManagerBot ManagerEmail IntelligenceDevice IDPhishing ProtectionScraping Protection

SOLUTIONS

Account TakeoverFake Account CreationSMS Toll FraudAPI SecurityMFA Compromise

RESOURCES

BlogResource LibraryNewsroomEventsACTIR

COMPANY

AboutLeadershipCareersCustomersPartnersContactCustomer PortalDeveloper Portal

© 2026 Arkose Labs. All rights reserved.

Terms of UsePrivacy Policy