However, unskilled or not, the assault is huge, with Group-IB identifying 169 distinct domains targeted by the operation. The 0ktapus campaign is thought to have begun around March 2022, with around 9,931 login credentials taken so far. The attackers have cast a broad net, focusing on a variety of businesses such as banking, gambling, and telecommunications. Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games are among the domains mentioned by Group-IB as targets (but not verified breaches).
According to Group-IB, we won’t know the entire scope of this assault for some time. To prevent against such attacks, Group-IB recommends the typical precautions: always verify the URL of any site where you’re inputting login information; take URLs obtained from unknown sources with caution; and, for further security, use a “unphishable” two-factor security key, such as a YubiKey.