Over 130 organizations were compromised in the “0ktapus” phishing campaign and the credential of 9,931 employees were stolen. Hackers that are responsible for this string of cyberattacks target companies such as Twilio, MailChimp, and Klaviyo.

This was a months-long phishing campaign that has been ongoing since March 2022 and aimed primarily at companies that use Okta as a single sign-on supplier (hence the name of the campaign – “0ktapus”).

The stolen credentials and 2FA codes were then used by the malicious actor to access corporate networks and systems via VPNs and other remote access devices.

Furthermore, these breaches resulted in supply-chain attacks on clients who use the affected organizations’ services.

Who Are the Victims

The threat actors attacked companies in multiple sectors, including cryptocurrency, technology, finance, and recruiting.

“Some of the targeted companies include T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy”, according to BleepingComputer.

A large proportion of the organizations affected by the phishing campaign are based in the United States. Almost half of those belong to the software and telecommunications sector, the rest of them consisting of finance, business services, education, and retail companies.

How Did the Attack Work

The scammer used a smishing attack, sending SMS messages to the employees with a link to a phishing page imitating an Okta login page where victims are told to use their account credentials and the 2FA codes.

Researchers discovered 169 unique phishing domains supporting the 0ktapus campaign, using the keywords “OKTA,” “HELP,” “VPN,” and “SSO”.


The phishing campaign was so successful because sites with the specific theming of the target companies were used so that they look exactly like the real portals.

These sites transmitted the credentials and 2FA codes obtained this way to a private Telegram channel from which cyber attackers can recover them.

From there it was only a small step for the scammers to access VPNs, networks, and internal support systems to steal customer data. This customer data were the one used to initiate the supply-chain attacks.

Group-IB says that the threat actors managed to steal 9,931 user credentials from 136 companies, 3,129 records with emails, and 5,441 records with MFA codes.


Do We Have a Lead on the Attackers?

Fortunately, the hackers left a trace in the phishing kit that revealed the admin account of the Telegram channel used for the stolen data.

That is how user “X” was found, one of the Telegram group’s administrators. From there, the analysts found a GitHub account associated to the hacker, who used the nickname “Subject X” at the time, and a Twitter account; both suggest that the malicious actor may reside in North Carolina, United States.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

What Is Smishing?

Phishing Campaign Uses Reverse Tunnels and URL Shorteners

Two-Factor Authentication Simplified: Security Keys Are Now the Only Twitter 2FA Method

Leave a Reply

Your email address will not be published. Required fields are marked *