Vietnam fake account farms fuel global cybercrime wave

Okta Threat Intelligence has linked a cluster of fraudulent account registrations to a Vietnam-based cybercrime ecosystem that sells fake accounts, stolen credentials and tools for generating large volumes of sign-ups.

The research ties the activity, tracked internally as O-UNC-036, to dozens of Vietnam-hosted websites marketing account-related products and services associated with online fraud. Okta conducted the investigation with researchers at the University of Cyprus.

Fraudulent accounts enable abuse ranging from spam and phishing to larger financial scams. They also underpin SMS pumping attacks, which trigger verification texts to premium-rate numbers so criminals can profit from the resulting charges. Many consumer and business services use SMS for onboarding and multi-factor authentication codes, making signup abuse a direct cost for providers.

Cybercrime supply chain

Okta describes an ecosystem that functions like a supply chain. Some groups sell compromised accounts, while others offer cloned or automated accounts. Another set of vendors sells infrastructure and evasion services designed to keep accounts active long enough to monetise.

One part of the ecosystem centres on CMSNT.co, a Vietnam-based web design and marketing company. Okta observed "cookie-cutter" CMSNT.co website templates used across dozens of storefronts advertising digital accounts and related fraud services.

The templates appear built for online shops selling accounts for email providers, games and social media platforms. Okta also identified templates for services that boost social media engagement, along with "anti-detect" browsers, phone farm services and residential proxies. These tools aim to mask automation and reduce the likelihood that platforms detect coordinated behaviour.

Okta also found indications that some template source code had leaked, allowing sites to use the designs without paying. It saw no indication that CMSNT.co itself sold accounts.

Low-cost accounts

Okta highlighted Via17.com as an example of the marketplaces it tracked. The site offers compromised and cloned Facebook accounts, with one package priced at US$2.13 per account, and listings claiming to include more than 1,000 accounts.

Okta said "via" is slang for hacked accounts and appears frequently on sites selling access. Compromised accounts can result from brute-force attempts or stolen credentials taken from infected devices. Logs from information-stealing malware often include usernames and passwords and are traded on underground forums and messaging services.

Via17.com also sells session tokens-small data files that keep users signed in-which Okta said are sometimes referred to as "cookies" in account offerings.

Okta also identified another marketplace, nladsgiare.shop, which it said used the same CMSNT.co website code. Listings there referenced accounts linked to disposable email addresses.

Disposable email

A key tactic in the activity Okta tracked involved disposable email services that provide temporary inboxes for short periods. Okta said O-UNC-036 relied on disposable email domains to automate registrations at scale. This approach avoids the need to maintain long-lived email accounts while still allowing criminals to receive one-time verification messages.

Okta observed a "flood" of suspicious registrations across multiple disposable email domains. Analysis of those domains led to a wider set of Vietnamese storefronts selling accounts and fraud-related services.

Okta pointed to one disposable email service, mailclone.site, where anyone can generate an email address and read incoming messages directly on the website. It also said Via17.com recommended receiving codes via temp-mail.io and listed 11 other disposable email services for use during registration.

Regional and global reach

The research places the Vietnamese ecosystem within a broader regional landscape of organised cyber-enabled fraud, including so-called "pig butchering" scams. These operations have expanded across Southeast Asia, particularly in border areas near China, Myanmar, Thailand and Cambodia. Criminal groups have run scams from large compounds and used fake online identities to target victims worldwide.

Okta cited an April 2025 report by the United Nations Office on Drugs and Crime describing a "surge of specialized service providers" selling fraud kits, stolen data, malware, AI-driven tools and money laundering services. The trade often occurs through open forums, social networking sites, clear-web websites and messaging platforms, including Telegram.

Okta said the activity it observed mostly targeted Vietnamese speakers, though it also saw vendors seeking English-speaking buyers, suggesting the market extends beyond Vietnam.

Hieu Minh Ngo, a Vietnamese cybercrime investigator who contributed to the UN report and runs the scam-fighting cybersecurity awareness group ChongLuaDao, warned of the downstream harm caused by fake identities online.

"When [scammers] use fake accounts to win the trust of people, they end up with a lot of personal data about them. They can do lots of damage to those victims," said Hieu Minh Ngo, Vietnamese cybercrime investigator, ChongLuaDao.

Okta said it has not observed direct links between the activity it tracked and Storm 1152, a Vietnamese group Microsoft has previously pursued through civil legal action over the sale of fraudulent Outlook and Hotmail accounts. Okta framed its findings as part of a wider cybercrime-as-a-service market in which access, automation and evasion tools are sold to other criminals.

Okta also said service providers face a trade-off in responding to signup fraud: stricter defences can reduce abuse but may also create friction for legitimate customers, including users who rely on email masking or forwarding services.