A new and distinct wave of voice phishing (vishing) attacks attributed to the notorious ShinyHunters hacking collective is spreading fast, with defenders urged to be on their guard following breaches affecting at least three major organisations so far.
The campaign appears to involve custom vishing kits targeting Google, Microsoft and Okta environments – as Okta itself warned last week – and may have already ensnared business intelligence specialist Crunchbase, music streaming platform SoundCloud, and financial planning and investment firm Betterment.
Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, is among those following the campaign as it develops.
“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved vishing techniques to successfully compromise SSO credentials from victim organisations, and enrol threat actor controlled devices into victim MFA solutions,” he told Computer Weekly via email.
“This is an active and ongoing campaign. After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organisations with an extortion demand.
“While this is not the result of a security vulnerability in vendors’ products or infrastructure, we strongly recommend moving toward phishing-resistant MFA, such as FIDO2 security keys or passkeys where possible,” said Carmakal.
“These protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not. Administrators should also implement strict app authorisation policies and monitor logs for anomalous API activity or unauthorised device enrolments.”
Reseachers at Sophos’ Counter Threat Unit (CTU) told our sister title Cybersecurity Dive that they had been tracking about 150 hacker-controlled domains used in the campaign, most of which seem to have been created in December 2025.
CTU threat intel director Rafe Pilling said he was unable to confirm if all of those domains had been used, but noted that the attackers appeared to be using them to create target-specific phishing websites, often impersonating authentication providers, including Okta.
Victims speak out
Crunchbase has already confirmed that hackers stole and leaked a 402MB compressed archive after failing to extort its victim, but that day-to-day operations were not affected, and it has otherwise fully contained the breach. It is working with the US authorities on its investigation, and is reviewing the leaked data to determine if it needs to legally notify any users.
Separately, SoundCloud and Betterment have also disclosed data breaches. SoundCloud, which was breached in December 2025 said the intrusion took the form of unauthorised activity in an ancillary service dashboard – although its notification makes no mention of social engineering or vishing as its source. It said that the compromised data took the form of email addresses and publicly available information posted on about 20% of SoundCloud user profiles.
Betterment, meanwhile, said it detected a breach on 9 January when “an unauthorised individual gained access to certain Betterment systems through social engineering” against its marketing and operations teams. The attackers used their access to send a fraudulent cryptocurrency-related message to some customers, all of whom have been notified.
Adaptive vishing
In Okta’s advisory, the supplier warned that threat actors are rapidly iterating custom vishing kits in order to meet the specific needs of their social engineering staff.
Such kits – which likely evolved from the same lineage – are ‘sold’ on an as-a-service basis and are designed not only to intercept an unwitting victim’s credentials, but also to provide their users with the supporting, on-the-fly context they need to get their targets to approve multifactor authentication (MFA) challenges or take other actions as needed.
For example, said Okta, they could be adapted to control what pages are presented in the user’s web browser to sync to the caller’s script.
“Once you get into the driver’s seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering,” said Moussa Diallo, threat researcher at Okta Threat Intelligence.
“Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronisation with the instructions they are providing on the call.
“The threat actor can use this synchronisation to defeat any form of MFA that is not phishing-resistant,” said Diallo.
