Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Okta Vishing Campaign Allegedly Linked to ShinyHunters: What You Need to Know
Jan 23, 2026
6 Mins Read
Moon

Okta Vishing Campaign Allegedly Linked to ShinyHunters: What You Need to Know

A recent disclosure from Okta has brought renewed attention to how voice phishing (vishing) campaigns are evolving to bypass widely deployed identity security controls. A key factor driving this shift is a set of custom phishing kits designed to work in real time with phone-based social engineering, allowing attackers to manipulate authentication flows as victims interact with fake login pages.

This blog examines the recent Okta vishing campaign, outlining how the attacks were carried out, what is currently known about the actors involved, and why these techniques pose a growing challenge for organizations relying on traditional authentication controls.

What Happened in the Recent Okta Vishing Campaign?

Okta Threat Intelligence disclosed the use of custom phishing kits built specifically to support vishing operations, in which attackers pose as internal IT or security personnel during phone calls. Rather than relying on static phishing emails, these campaigns unfold in real time, with victims verbally guided to malicious websites designed to closely resemble legitimate Okta, Microsoft, or Google login pages.

A defining characteristic of the campaign is its ability to bypass common MFA methods. The kits allow attackers to dynamically control what the victim sees in their browser, synchronizing each step with spoken instructions. This approach increases credibility and reduces hesitation, especially in workplace settings where IT support calls are routine.

Moreover, following public reporting on the activity, a known threat actor claimed responsibility for the campaign and published alleged data leaks linked to the Okta vishing campaign.

How Do These Phishing Kits Bypass Multi-Factor Authentication (MFA)?

The effectiveness of these kits lies in real-time session orchestration. Once a victim enters credentials into the phishing page, those details are immediately relayed to the attacker. The attacker then attempts to log in to the legitimate service and observes which MFA challenge is triggered.

Based on that challenge, the phishing page is updated instantly. For example, if a push notification or One-Time Password (OTP) is required, the attacker can instruct the victim to approve or enter it while the page displays supporting prompts. Even number-matching push MFA can be defeated if the victim is verbally guided.

How the attackers orchestrated the Okta vishing campaign (Okta Blog)

How the attackers orchestrated the Okta vishing campaign (Okta Blog)

Phishing-resistant methods such as FIDO passkeys or Okta FastPass remain effective because they cryptographically bind authentication to the legitimate domain, preventing relay-based attacks.

Who Is Behind the Recent Okta-Related Data Leaks?

According to a LinkedIn post by security expert Alon Gal, the threat actor group ShinyHunters confirmed responsibility for the Okta SSO vishing campaign. After failed extortion attempts, the group published alleged victim data on their Data Leak Site (DLS), naming Crunchbase, SoundCloud, and Betterment as affected organizations.

The researcher has shared their Telegram chat with the threat actor for further context.

The researcher has shared their Telegram chat with the threat actor for further context.

The published descriptions claim:

  • Over 20 million records linked to Betterment
  • Over 2 million records linked to Crunchbase
  • Over 30 million records linked to SoundCloud

The leaked datasets reportedly include personally identifiable information, internal documents, and corporate records.

The leak site of ShinyHunters lists Betterment, Crunchbase, and SoundCloud as victims as the group claims responsibility for the Okta vishing campaign.

The leak site of ShinyHunters lists Betterment, Crunchbase, and SoundCloud as victims as the group claims responsibility for the Okta vishing campaign.

Track Threat Actor Activity With SOCRadar’s Dark Web Monitoring

When threat actors publish leak claims, organizations often need clarity quickly: whether their data is actually present, how widely it is being shared, and whether the claims are evolving over time.

SOCRadar’s Dark Web Monitoring module is built to support this verification process by continuously observing attacker-controlled spaces where such claims surface. Key capabilities include:

  • Tracking criminal forums and underground marketplaces where stolen data is advertised or discussed,
  • Identifying references to company names, domains, credentials, or sensitive keywords,
  • Monitoring threat actor postings for newly published or updated victim listings.

By grounding response efforts in observed activity across these channels, security teams can better assess risk and prioritize next steps.

SOCRadar’s Dark Web Monitoring

SOCRadar’s Dark Web Monitoring

What Does Okta Recommend to Defend Against These Attacks?

Okta emphasizes that not all MFA is phishing-resistant, and relying solely on push notifications or OTPs is no longer sufficient against voice-enabled attacks. Key recommendations include:

  • Enforcing phishing-resistant authentication such as passkeys or FastPass
  • Restricting access based on network zones and known IP ranges
  • Blocking authentication attempts from anonymization services
  • Increasing employee awareness of phone-based social engineering tactics

Some financial institutions are also testing live caller verification, allowing users to confirm whether a phone call is legitimate through an official app.

Conclusion

Such incidents show how identity-based attacks are becoming more interactive, more targeted, and harder to detect. Phone calls, trusted platforms, and legitimate-looking workflows now play a central role in modern phishing operations, requiring defenders to assume that credentials and non-phishing-resistant MFA can be compromised.

A separate report from Microsoft describes a multi-stage Adversary-in-the-Middle (AitM) phishing and Business Email Compromise (BEC) campaign targeting energy sector organizations. In that case, attackers abused trusted services such as SharePoint and maintained persistence through inbox rules and stolen session cookies.

The common thread between the Microsoft findings and the Okta vishing campaign is the reliance on trusted identities and familiar platforms rather than overtly malicious infrastructure. In both scenarios, attackers leveraged legitimate tools and real-time interaction to evade detection and extend their access.