Voice and SMS phishing campaigns abused Okta workflows to breach hundreds of firms
A series of social-engineering campaigns targeted organizations that relied on Okta and similar identity systems, using SMS phishing, fake login portals, and later voice calls impersonating IT staff to steal credentials, MFA codes, and session tokens. Group-IB said the 0ktapus operation targeted 136 organizations, used 169 lookalike domains, and compromised thousands of accounts, with victims concentrated in technology, software, and cloud sectors in the United States and Canada. Reporting tied the same activity to breaches at Twilio, Cloudflare, DoorDash, and later Coinbase, where an attacker obtained an employee username and password and accessed limited corporate directory data but was blocked from broader access by MFA controls and incident response.
Subsequent reporting described an evolution from SMS phishing to vishing and adversary-in-the-middle phishing kits that mirrored corporate SSO flows in real time, enabling theft of session tokens even after MFA was completed. Mandiant and other researchers linked a 2026 wave under the ShinyHunters banner to more than 400 organizations, with attackers using branded phishing sites, harvesting cloud data from SharePoint, OneDrive, Salesforce, and Slack, and following theft with extortion demands. Across the incidents, phishing-resistant FIDO2 security keys stood out as an effective defense, while earlier disputes over Okta-related intrusions, including claims by Lapsus$, underscored how compromises of identity providers and support channels can cascade into downstream customer exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Researchers detail ShinyHunters campaign affecting 400+ organizations
On 2026-03-12, researchers published technical details on the ShinyHunters-linked campaign, including real-time phishing kits that captured session tokens after MFA and post-compromise theft from SharePoint, OneDrive, Salesforce, and Slack. The report named victims including Match Group, SoundCloud, Panera Bread, Betterment, Harvard, Crunchbase, Canada Goose, and Aura.
Optimizely disclosed as victim of suspected vishing attack
On 2026-03-03, reporting identified ad-tech firm Optimizely as a victim of a suspected ShinyHunters vishing attack that leaked business information. This added a named victim to the expanding campaign.
Public reporting documents ShinyHunters-style vishing wave
By late January 2026, public reporting described a cybercrime group claiming responsibility for voice-phishing attacks targeting Okta-linked environments. The reporting marked broader public awareness of the campaign's methods and actor claims.
Large-scale ShinyHunters-linked vishing campaign begins
In January 2026, a broad voice-phishing campaign began in which attackers impersonated IT support staff and sent employees to victim-branded credential harvesting sites. Mandiant later associated the activity with the ShinyHunters banner and said the campaign ultimately reached more than 400 organizations.
Coinbase publicly details limited 0ktapus-related intrusion
On 2023-02-21, Coinbase disclosed that a persistent cybercriminal associated with 0ktapus had accessed its corporate directory through a combination of smishing and a follow-up phone call. Coinbase said its controls blocked remote access because the attacker failed MFA, and the incident affected only limited employee contact information.
Coinbase employee phished and socially engineered by 0ktapus actor
Before Coinbase's February 2023 disclosure, a threat actor linked to 0ktapus used SMS phishing to steal an employee's username and password, then followed up with a voice social-engineering call impersonating Coinbase IT. The attacker gained limited access to Coinbase's corporate directory, exposing employee contact details, but could not satisfy MFA requirements or access customer funds or customer information.
Group-IB identifies 0ktapus targeting 136 organizations
On 2022-08-26, Group-IB publicly linked the actors behind the Twilio and Cloudflare incidents to a campaign dubbed 0ktapus that targeted 136 organizations. The firm said the operation used 169 phishing domains and resulted in 9,931 compromised accounts and 3,120 credentials with email addresses.
Twilio and Cloudflare breaches linked to broader 0ktapus campaign
In August 2022, reporting tied the intrusions at Twilio and Cloudflare to the same threat actor behind the wider 0ktapus phishing campaign. The activity was described as a supply-chain style operation that leveraged data from one compromise to target downstream organizations.
Lapsus$ posts Okta screenshots and Okta discloses January incident
On 2022-03-23, the extortion group Lapsus$ published screenshots claiming an Okta breach, prompting Okta to confirm the earlier January compromise of a third-party support engineer account. Okta said about 2.5% of customers were potentially impacted, while Lapsus$ disputed Okta's characterization and claimed broader access.
Attacker accesses Okta support engineer laptop via third party
In January 2022, an attacker gained access for five days to a third-party customer support engineer's laptop used to support Okta customers. Okta later said the incident was contained and did not breach its core services, though support-related access was exposed.
Attackers prepare large vishing infrastructure for new campaign
In December 2025, attackers registered many of the domains later used in a large-scale vishing campaign, indicating advance preparation. Silent Push later identified more than 150 attacker-controlled domains tied to the operation.
0ktapus phishing campaign operates against Okta-using firms
By March 2022, the 0ktapus operation was active and reportedly remained undetected while targeting organizations that used Okta, primarily in IT, software development, and cloud services. The attackers used SMS phishing and fake Okta login pages to steal credentials and one-time codes.
Sources
9 references tracked. Mallory keeps watching after this page renders.
How ShinyHunters Breached 400 Companies by Impersonating Them - Allure Security
alluresecurity.com
Open sourceSuspected ShinyHunters’ Vishing Attack Hits Ad Tech Firm Optimizely, Leaking Business Information - CPO Magazine
cpomagazine.com
Open sourceCybercrime group claims credit for voice phishing attacks | Cybersecurity Dive
cybersecuritydive.com
Open sourceCoinbase explains how ‘0ktapus’ hacker accessed corporate directory | The Record from Recorded Future News
therecord.media
Open sourceThe number of companies caught up in recent hacks keeps growing - Ars Technica
arstechnica.com
Open source0ktapus phishing campaign: Twilio hackers targeted other 136 orgs
securityaffairs.com
Open sourceOkta, Lapsus$ offer dueling narratives on breach claim | news | SC Media
scworld.com
Open sourceCisa
cisa.gov
Open sourceWeb Archive
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
0ktapus SMS Phishing Campaign Stole Okta Credentials and 2FA Codes
Group-IB reported that a large-scale phishing operation dubbed **0ktapus** targeted organizations using Okta by sending employees SMS messages that linked to fake Okta sign-in pages. The campaign harvested usernames, passwords, and one-time **2FA** codes, allowing attackers to use stolen credentials almost immediately before the codes expired. Researchers said the operation relied on relatively simple infrastructure, including **169 phishing domains**, a **Nuxt.js** frontend, a **Django** backend, and **Telegram** bots and channels used to collect stolen data in near real time. The activity was linked to compromises across multiple sectors, including IT, cloud services, finance, telecommunications, and cryptocurrency, with victims concentrated in the United States and Canada. Group-IB said the campaign was active by at least March 2022 and expanded into supply-chain intrusions affecting **Twilio**, **Mailchimp**, and **Klaviyo**, with downstream impact on customers of **Signal** and **DigitalOcean**. The firm said the attackers likely sought access to private data, internal documents, financial assets, and user accounts, and it urged organizations to adopt phishing-resistant MFA such as **FIDO2 security keys**, verify login URLs carefully, and reset credentials and revoke sessions immediately after suspected compromise.
May 30, 2026
Okta Warns of Real-Time Vishing Phishing Kits Targeting SSO and MFA
Okta reported that threat actors are using and selling custom **voice-phishing (vishing) kits** that enable helpdesk-style social engineering to steal credentials and bypass MFA for **Okta SSO** and other identity providers, including **Google** and **Microsoft**. The kits are offered “as a service” on dark web forums and messaging platforms and are designed to closely mimic legitimate identity-provider authentication flows, making the victim experience appear authentic during a live phone call. Unlike static phishing pages, the kits function as **adversary-in-the-middle** platforms that let attackers monitor a victim’s session in real time and dynamically change what the victim sees (e.g., dialogs prompting for credentials or MFA approval) as the call progresses. Okta said operators typically conduct reconnaissance on targeted employees (names, applications used, and IT/helpdesk phone numbers), then call victims—often with spoofed corporate/helpdesk numbers—while guiding them through a tailored phishing page; captured credentials and MFA responses are relayed to the attacker to complete login and enable downstream **data theft and extortion** activity, echoing prior “IT support call” tradecraft associated with **Scattered Spider-like** intrusions.
May 15, 2026
MFA Bypass via Phishing and Authentication Abuse (OAuth Device Code, Vishing Kits, and OTP Bombing)
Threat researchers reported multiple **MFA-bypass** techniques being operationalized against enterprise users, with a notable focus on Microsoft 365 and common authentication workflows. KnowBe4 Threat Labs described an active phishing campaign targeting North American organizations that abuses the **OAuth 2.0 Device Authorization Grant** (`microsoft.com/devicelogin`) to trick users into entering an attacker-supplied device code on a legitimate Microsoft page; after the user completes MFA, the attacker obtains valid **OAuth access/refresh tokens**, enabling persistent access to M365 services (e.g., Outlook, Teams, OneDrive/SharePoint) without stealing passwords. Recommended mitigations included auditing newly consented OAuth apps, hunting for related email lure patterns, and considering disabling the device code flow via Conditional Access. Separately, Okta warned of emerging **voice-phishing (vishing) kits** that provide real-time, client-side “session orchestration,” allowing attackers to dynamically change phishing pages while on a phone call to coax victims into approving push prompts or providing OTPs; captured credentials are commonly exfiltrated to attacker-controlled channels (e.g., Telegram) and then replayed against legitimate sign-in flows. Cyble also documented the continued evolution of **SMS/OTP (and voice) bombing** ecosystems, highlighting automated, API-driven abuse of authentication endpoints across multiple sectors and regions, with tooling maturing into cross-platform applications and adding evasion features—activity that can facilitate social engineering and account takeover by overwhelming users with authentication messages or calls.
Mar 21, 2026