0ktapus SMS Phishing Campaign Stole Okta Credentials and 2FA Codes
Group-IB reported that a large-scale phishing operation dubbed 0ktapus targeted organizations using Okta by sending employees SMS messages that linked to fake Okta sign-in pages. The campaign harvested usernames, passwords, and one-time 2FA codes, allowing attackers to use stolen credentials almost immediately before the codes expired. Researchers said the operation relied on relatively simple infrastructure, including 169 phishing domains, a Nuxt.js frontend, a Django backend, and Telegram bots and channels used to collect stolen data in near real time.
The activity was linked to compromises across multiple sectors, including IT, cloud services, finance, telecommunications, and cryptocurrency, with victims concentrated in the United States and Canada. Group-IB said the campaign was active by at least March 2022 and expanded into supply-chain intrusions affecting Twilio, Mailchimp, and Klaviyo, with downstream impact on customers of Signal and DigitalOcean. The firm said the attackers likely sought access to private data, internal documents, financial assets, and user accounts, and it urged organizations to adopt phishing-resistant MFA such as FIDO2 security keys, verify login URLs carefully, and reset credentials and revoke sessions immediately after suspected compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Group-IB publicly discloses analysis of the 0ktapus campaign
On September 10, 2025, Group-IB published its analysis naming the phishing operation 0ktapus and detailing its methods, infrastructure, victimology, and mitigations. The company recommended phishing-resistant MFA such as FIDO2 security keys, URL verification, and immediate credential resets and session revocation after suspected compromise.
Group-IB links Telegram admin artifacts to 'Subject X'
During its investigation, Group-IB traced administrative artifacts from the campaign's Telegram infrastructure to an individual it labeled Subject X. The company described this attribution as preliminary rather than conclusive.
Okta says Twilio breach exposed some customer SMS MFA codes
Okta disclosed that attackers who breached Twilio's console viewed SMS one-time passcodes and phone numbers tied to 38 Okta-related phone numbers, mostly associated with one organization. Okta said the actor likely paired previously phished credentials with intercepted SMS MFA codes, and it rerouted SMS traffic away from Twilio after learning of the exposure.
Campaign expands into supply-chain compromises
Group-IB reported that the activity escalated into supply-chain attacks affecting Twilio, Mailchimp, and Klaviyo, with downstream impact on Signal and DigitalOcean customers. This marked a broader operational impact beyond direct credential theft from individual employees.
0ktapus compromises numerous organizations in North America
The phishing campaign successfully breached multiple well-known organizations, primarily in the United States and Canada. Group-IB said targeted sectors included IT, software, cloud services, finance, telecommunications, and cryptocurrency.
Attackers build and operate 0ktapus phishing infrastructure
The campaign used at least 169 phishing domains along with a Nuxt.js frontend, a Django backend, and Telegram bots and channels to collect stolen credentials. Group-IB found the kit was relatively simple and likely required attackers to monitor submissions in near real time so captured 2FA codes could be used before they expired.
0ktapus phishing campaign begins targeting Okta customers
Group-IB assessed that the 0ktapus SMS phishing campaign was active by at least March 2022, targeting employees at organizations that used Okta. The operation used fake Okta login pages to steal credentials and one-time 2FA codes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Voice and SMS phishing campaigns abused Okta workflows to breach hundreds of firms
A series of social-engineering campaigns targeted organizations that relied on **Okta** and similar identity systems, using SMS phishing, fake login portals, and later voice calls impersonating IT staff to steal credentials, MFA codes, and session tokens. Group-IB said the **0ktapus** operation targeted **136 organizations**, used **169** lookalike domains, and compromised thousands of accounts, with victims concentrated in technology, software, and cloud sectors in the United States and Canada. Reporting tied the same activity to breaches at **Twilio**, **Cloudflare**, **DoorDash**, and later **Coinbase**, where an attacker obtained an employee username and password and accessed limited corporate directory data but was blocked from broader access by MFA controls and incident response. Subsequent reporting described an evolution from SMS phishing to **vishing** and adversary-in-the-middle phishing kits that mirrored corporate SSO flows in real time, enabling theft of session tokens even after MFA was completed. Mandiant and other researchers linked a 2026 wave under the **ShinyHunters** banner to more than **400 organizations**, with attackers using branded phishing sites, harvesting cloud data from **SharePoint**, **OneDrive**, **Salesforce**, and **Slack**, and following theft with extortion demands. Across the incidents, phishing-resistant **FIDO2** security keys stood out as an effective defense, while earlier disputes over Okta-related intrusions, including claims by **Lapsus$**, underscored how compromises of identity providers and support channels can cascade into downstream customer exposure.
May 25, 2026
Okta Warns of Real-Time Vishing Phishing Kits Targeting SSO and MFA
Okta reported that threat actors are using and selling custom **voice-phishing (vishing) kits** that enable helpdesk-style social engineering to steal credentials and bypass MFA for **Okta SSO** and other identity providers, including **Google** and **Microsoft**. The kits are offered “as a service” on dark web forums and messaging platforms and are designed to closely mimic legitimate identity-provider authentication flows, making the victim experience appear authentic during a live phone call. Unlike static phishing pages, the kits function as **adversary-in-the-middle** platforms that let attackers monitor a victim’s session in real time and dynamically change what the victim sees (e.g., dialogs prompting for credentials or MFA approval) as the call progresses. Okta said operators typically conduct reconnaissance on targeted employees (names, applications used, and IT/helpdesk phone numbers), then call victims—often with spoofed corporate/helpdesk numbers—while guiding them through a tailored phishing page; captured credentials and MFA responses are relayed to the attacker to complete login and enable downstream **data theft and extortion** activity, echoing prior “IT support call” tradecraft associated with **Scattered Spider-like** intrusions.
May 15, 2026
MFA Bypass via Phishing and Authentication Abuse (OAuth Device Code, Vishing Kits, and OTP Bombing)
Threat researchers reported multiple **MFA-bypass** techniques being operationalized against enterprise users, with a notable focus on Microsoft 365 and common authentication workflows. KnowBe4 Threat Labs described an active phishing campaign targeting North American organizations that abuses the **OAuth 2.0 Device Authorization Grant** (`microsoft.com/devicelogin`) to trick users into entering an attacker-supplied device code on a legitimate Microsoft page; after the user completes MFA, the attacker obtains valid **OAuth access/refresh tokens**, enabling persistent access to M365 services (e.g., Outlook, Teams, OneDrive/SharePoint) without stealing passwords. Recommended mitigations included auditing newly consented OAuth apps, hunting for related email lure patterns, and considering disabling the device code flow via Conditional Access. Separately, Okta warned of emerging **voice-phishing (vishing) kits** that provide real-time, client-side “session orchestration,” allowing attackers to dynamically change phishing pages while on a phone call to coax victims into approving push prompts or providing OTPs; captured credentials are commonly exfiltrated to attacker-controlled channels (e.g., Telegram) and then replayed against legitimate sign-in flows. Cyble also documented the continued evolution of **SMS/OTP (and voice) bombing** ecosystems, highlighting automated, API-driven abuse of authentication endpoints across multiple sectors and regions, with tooling maturing into cross-platform applications and adding evasion features—activity that can facilitate social engineering and account takeover by overwhelming users with authentication messages or calls.
Mar 21, 2026