TL;DR: Account sign-up remains the most abused entry point, with Storm-1152 creating 750 million fake Microsoft accounts and attackers also concentrating on sign-in and password reset flows, according to Arkose Labs' analysis of 12 months of fraud data. The pattern matters because identity and fraud controls fail first where onboarding, recovery, and scale collide.
At a glance
What this is: This analysis shows scammers still prefer account creation, then expand into sign-in and password reset abuse once they have a foothold.
Why it matters: For IAM practitioners, the lesson is that identity controls at onboarding and recovery are fraud controls as much as authentication controls, affecting human, NHI, and automated abuse patterns.
By the numbers:
- Storm-1152 created 750 million fake Microsoft accounts and made millions of dollars selling them on the dark web.
- In El Salvador, fraudsters might make 20x more attacking gaming companies versus working a software developer job.
👉 Read Arkose Labs' analysis of scammer behaviour and account sign-up abuse
Context
Account creation, sign-in, and password reset are the three identity touchpoints that attackers most often exploit because they combine low-friction access with high downstream value. When those workflows are designed primarily for conversion and recovery, they can also become the easiest way to manufacture trust at scale.
This matters for IAM and fraud teams because the same weak point can be used to create fake users, hijack legitimate accounts, or seed later abuse across consumer, employee, and machine-facing identity flows. The operational question is no longer whether onboarding is secure enough in principle, but whether the first-use identity journey can withstand adversarial scale.
Key questions
Q: How should security teams stop fake account creation at sign-up?
A: They should add layered friction that raises the cost of bulk registration without breaking legitimate users. Combine device reputation, behavioural analysis, identity verification, and step-up checks at the point of enrolment. The goal is to make account creation expensive enough that industrialised fraud loses scale, while preserving a predictable journey for real customers.
Q: Why do password reset flows attract fraud and account takeover attempts?
A: Password reset flows restore access when identity is weakest, so attackers target them to convert a fresh foothold into durable control. If recovery depends on email continuity or other easily abused signals, fraudsters can bypass ordinary login protection. Teams should treat recovery as a higher-risk identity event than sign-in.
Q: How do organisations know if sign-up fraud controls are actually working?
A: They should measure more than blocked attempts. Useful signals include fake account creation rate, downstream abuse from newly created accounts, recovery abuse after enrolment, and whether friction is shifting attackers to other workflows. If fraud losses fall but abuse migrates into sign-in or reset flows, the control set is only partially effective.
Q: Who is accountable when identity workflows are abused for fraud?
A: Accountability should sit jointly with identity, fraud, and product owners because the abuse occurs at shared workflow boundaries. Governance should define who owns sign-up risk, who owns recovery risk, and who can force changes when abuse trends shift. Without clear ownership, attackers simply move to the least defended identity touchpoint.
Technical breakdown
Why account sign-up is the highest-value fraud entry point
Account sign-up is attractive because it lets attackers create identity artifacts before stronger controls have any history to evaluate. The first transaction often has the least friction, the least behavioural evidence, and the weakest linkage to device reputation or payment trust. At scale, fake account creation becomes inventory for credential stuffing, bonus abuse, resale, and recovery attacks. The article's Storm-1152 example shows how industrialised this can become when registration is cheap and reusable. Practical implication: treat sign-up as an abuse surface, not just a UX flow.
Practical implication: Instrument sign-up for abuse resistance, not only authentication success.
How sign-in and password reset extend the attack chain
Once a bad actor has a foothold, sign-in and password reset become the next leverage points because they are designed to restore access, not to challenge identity provenance. These workflows often rely on email ownership, phone continuity, or prior session context, which attackers try to exploit through credential stuffing, phishing, SIM swap, or social engineering. In practice, the weakness is not one factor alone but the trust chain linking account recovery to account legitimacy. Practical implication: recovery flows need stronger risk checks than ordinary login paths.
Practical implication: Apply stronger risk checks to recovery than to ordinary login paths.
Seasonality and work-hour patterns in fraud operations
Fraud is increasingly operationalised like a business, with attacks timed to peak demand windows and regionally consistent work schedules. That changes how defenders should interpret volume spikes: they are not always random noise, but may indicate staffing, tooling, or monetisation cycles. For travel and gaming, campaign timing can align with booking surges or promotions because the payoff per successful fake account rises. Practical implication: monitor for temporal clustering by industry, region, and event window rather than relying on static thresholds.
Practical implication: Use timing analysis to detect campaign coordination, not just spike volume.
NHI Mgmt Group analysis
Fraud starts where identity becomes cheap to manufacture. The article confirms that account sign-up remains the most valuable first touchpoint for abuse because it lets attackers create scale before defenders have behavioural history or trust signals. That is a governance problem, not just a bot problem, because onboarding controls often optimise for conversion instead of adversarial verification. Practitioners should treat registration as the first control plane for trust.
Account recovery is the overlooked continuation of the same abuse chain. Sign-in and password reset are not separate problems from fake sign-up, they are the second half of the same monetisation path. Once an attacker controls a created identity, recovery workflows can be used to consolidate access, bypass friction, and turn disposable accounts into durable ones. Security teams should view recovery as a high-risk identity lifecycle step.
Temporal clustering is a named fraud signal, not background noise. The reported seasonal spikes and business-hour attack patterns show that fraud operations behave like scheduled enterprises with predictable monetisation windows. That means anomaly detection should include time-of-day and campaign-cycle analysis, not only rate limits and device checks. The practitioner conclusion is to model fraud as coordinated operations with staffing and economics behind them.
Identity trust at scale must be measured at workflow boundaries. The strongest signal in this article is that scammers target the exact moments when systems grant trust before they have earned it. That creates an identity trust boundary problem across sign-up, sign-in, and password reset, especially when those flows are reused across consumer, employee, and partner ecosystems. Practitioners should redesign controls around the point trust is first conferred.
Cross-domain identity abuse now spans human and machine patterns. Although the article focuses on consumer fraud, the operational lesson carries into NHI governance because any workflow that mints reusable identity material can be industrialised. The same logic that drives fake account creation also drives token abuse, credential resale, and automated enrolment abuse. Practitioners should align fraud, IAM, and machine identity monitoring around shared trust signals.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Those visibility and privilege gaps are why the NHI Lifecycle Management Guide matters when sign-up abuse begins to resemble identity sprawl.
What this signals
Fake identity creation is the same governance problem that appears later in NHI sprawl. When account creation is abused at scale, the organisation is really losing control over which identities are legitimate, which are disposable, and which can be reused. That is the same trust boundary problem that shows up in machine identity programmes when credentials are minted faster than they can be governed.
The practical signal for teams is that fraud analytics and identity governance need shared telemetry on enrolment, recovery, and reuse. If those workflows are not measured together, an attacker can move from fake registration to account takeover without ever tripping a single control boundary.
Identity trust debt: the longer a platform allows low-friction identity creation without strong provenance checks, the more costly every downstream recovery and abuse decision becomes. That debt compounds across customer identity, workforce identity, and non-human identity programmes because each one inherits the same trust assumptions.
For practitioners
- Harden account creation with layered abuse checks Add device reputation, behavioural risk scoring, email and phone validation, and adaptive friction to registration flows so that bulk sign-up cannot proceed at human speed. Tune controls for conversion loss versus fraud loss, then review outcomes by campaign and geography.
- Separate recovery from routine authentication risk Apply stronger step-up checks to password reset and account recovery than to ordinary sign-in, especially where email-only recovery can be abused. Use recovery events as high-value signals for fraud analytics and session revocation.
- Track fraud by time window and campaign pattern Monitor attacks by time of day, day of week, season, and event-driven demand spikes so that clustering becomes visible before losses escalate. Compare the pattern across regions and products to identify industrialised abuse rather than isolated attempts.
- Unify fraud and IAM telemetry Correlate sign-up velocity, sign-in anomalies, password reset frequency, and device changes across IAM and fraud teams so one workflow does not mask another. Shared telemetry makes it easier to spot reused identities and serial abuse.
Key takeaways
- The article shows that account sign-up remains the primary fraud entry point because it allows attackers to manufacture identity at scale before stronger controls engage.
- The reported 750 million fake Microsoft accounts and the recurring seasonal and business-hour attack patterns show that fraud is organised, repeatable, and economically optimised.
- The control implication is clear: teams need stronger identity verification, tighter recovery governance, and shared fraud-IAM telemetry at the workflow boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and access decisions matter at sign-up and recovery. |
| NIST Zero Trust (SP 800-207) | PR.AC-7 | Adaptive verification is needed when access patterns change during recovery abuse. |
| NIST SP 800-63 | IAL2 | Account creation quality depends on how well identity is established before trust is granted. |
Use continuous risk signals to step up checks when sign-in or reset behavior looks abnormal.
Key terms
- Account Sign-up Abuse: Account sign-up abuse is the use of registration flows to create fraudulent or disposable identities at scale. Attackers exploit the point where systems must decide whether to trust a new account, turning onboarding into a supply chain for spam, fraud, resale, and later takeover attempts.
- Account Recovery Abuse: Account recovery abuse is the manipulation of password reset or recovery workflows to regain or seize access. These processes are designed to restore legitimate users, but weak verification lets attackers convert a temporary foothold into persistent control of the account lifecycle.
- Identity Trust Boundary: An identity trust boundary is the point where a system first decides an identity is legitimate enough to issue access, privileges, or recovery options. If that boundary is weak, the rest of the identity lifecycle inherits the mistake, making downstream fraud harder to contain.
- Fraud Campaign Clustering: Fraud campaign clustering is the pattern where attacks arrive in predictable bursts tied to seasons, regions, or events. It signals organised operations rather than random abuse, which helps defenders distinguish real campaigns from ordinary background noise.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Arkose Labs: Bot Detection Inside the Scammer’s Mind: Attack Data Revealed by Frank Teruel. Read the original.
Published by the NHIMG editorial team on 2025-08-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
