Microsoft has filed a lawsuit against a group of 10 unnamed defendants, accusing them of developing tools to bypass safety measures in its Azure OpenAI Service.
The complaint, lodged in December in the U.S. District Court for the Eastern District of Virginia, alleges that the defendants, referred to as ‘Does,’ used stolen customer credentials and custom software to access Microsoft’s systems. Microsoft claims the group violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and federal racketeering laws.
According to the lawsuit, the defendants used stolen API keys, unique authentication codes, to operate a ‘hacking-as-a-service’ scheme. They allegedly created a tool called ‘de3u,’ which enabled users to generate content using OpenAI’s DALL-E model without adhering to the company’s content policies. The tool reportedly circumvented safeguards designed to filter harmful or offensive content.
The company discovered the alleged breach in July 2024 after identifying unauthorised use of Azure OpenAI Service credentials. Investigations revealed the credentials had been stolen from paying customers.
The lawsuit claims the defendants engaged in systematic theft of API keys and reverse-engineered methods to bypass Microsoft’s abuse prevention measures. A GitHub repository hosting the de3u project code, GitHub is owned by Microsoft, is no longer accessible.
“These features, combined with unlawful programmatic access, allowed the defendants to evade Microsoft’s content and abuse safeguards,” the complaint states.
In a blog post published on Friday, the company announced that a court had authorised it to seize a website central to the operation, enabling evidence collection and disruption of further activity. The company has also implemented unspecified countermeasures and safety mitigations for its Azure OpenAI Service.
Microsoft is seeking injunctive relief, damages, and additional measures to prevent future misuse.