In August 2022, a sprawling phishing campaign dubbed "0ktapus" by Group-IB researchers came to public attention after hitting some of the most security-conscious companies in tech — including Cloudflare, Twilio, and over 130 other organizations. The campaign was notable not for its technical sophistication, but for its scale, speed, and ability to chain compromises across the supply chain.
The Attack Chain
The 0ktapus campaign followed a deceptively simple playbook:
-
SMS phishing (smishing). Employees received text messages claiming their Okta credentials had expired or needed verification. The messages included links to convincing fake Okta login pages.
-
Credential harvesting. The phishing pages, hosted on domains mimicking the victim organization's Okta instance, captured usernames, passwords, and — critically — one-time passwords (OTP) from TOTP-based multi-factor authentication.
-
Real-time relay. The attackers used the captured credentials and OTPs immediately, before the time-based tokens expired. This meant that even organizations with MFA enabled were vulnerable.
-
Supply chain pivoting. Once inside one organization, the attackers accessed customer data and used it to launch targeted attacks against that organization's customers and partners, creating a cascading chain of compromises.
The Twilio Compromise
Twilio, the cloud communications platform used by thousands of companies, disclosed on August 7 that attackers had accessed customer data after compromising employee accounts. The impact was significant: Twilio confirmed that 125 customer accounts were affected.
The downstream effects were immediate. Signal, the encrypted messaging app, reported that approximately 1,900 user accounts were potentially affected because Signal uses Twilio for phone number verification. The attackers could have used access to Twilio's systems to intercept SMS verification codes, potentially registering new devices to existing Signal accounts.
This is supply chain compromise in its purest form — the attackers didn't need to compromise Signal directly. By hitting Twilio, they gained leverage over Signal's authentication infrastructure.
Cloudflare's Response
Cloudflare's handling of the attack became a case study in effective incident response. Like Twilio, Cloudflare employees received the phishing SMS messages. Some employees did enter their credentials into the phishing page.
However, Cloudflare's use of FIDO2-compliant hardware security keys (YubiKeys) for MFA prevented the attackers from completing the login. Unlike TOTP codes, hardware security keys use cryptographic challenges bound to the legitimate domain — they simply don't work on phishing sites, regardless of how convincing the fake page looks.
Cloudflare published a detailed blog post within days, providing a transparent account of the attack and their response. Key elements of their defense:
- Hardware security keys. FIDO2/WebAuthn-based authentication was the single most important control that prevented compromise.
- Cloudflare Access. Their zero-trust access system provided an additional authentication layer.
- Rapid response. Their security team identified and contained the attack within minutes of the first reports.
- Proactive threat hunting. After learning of the Twilio breach, Cloudflare proactively investigated whether they were targeted by the same campaign.
The Scale of 0ktapus
Group-IB's research revealed the true scope of the campaign:
- Over 130 organizations were targeted
- Nearly 10,000 credentials were compromised
- The campaign had been running since at least March 2022
- Targets spanned multiple industries including technology, telecom, cryptocurrency, and financial services
- The attackers used a phishing kit that made it easy to spin up new phishing pages for each target organization
The campaign infrastructure used domains registered through Namecheap and DigitalOcean, with phishing pages deployed using a custom kit that could be quickly reconfigured for different target organizations' Okta instances.
Supply Chain Implications
The 0ktapus campaign illustrates several critical supply chain risk patterns:
Identity providers are supply chain chokepoints. Okta, as a single sign-on provider, represents a high-value target. Compromising Okta access means compromising access to every application behind it. The earlier Lapsus$ attack on Okta itself (in January 2022) demonstrated this same risk from the provider side.
Communication platforms amplify blast radius. Twilio's compromise didn't just affect Twilio — it affected every customer that relied on Twilio for security-sensitive functions like SMS verification. This is the supply chain multiplier effect in action.
MFA is not created equal. The campaign proved that SMS-based and TOTP-based MFA can be defeated by real-time phishing proxies. Only phishing-resistant MFA methods like FIDO2/WebAuthn provide reliable protection against these attacks.
Human factors dominate. The entire 0ktapus campaign relied on employees clicking links in text messages. No zero-day exploits, no sophisticated malware — just convincing phishing messages sent at scale.
Lessons for Security Teams
The 0ktapus campaign offers several actionable takeaways:
Deploy Phishing-Resistant MFA
FIDO2 hardware security keys or platform authenticators (like Touch ID or Windows Hello) are the most effective defense against credential phishing. The cost of deploying hardware keys to all employees is trivial compared to the cost of a breach.
Audit Your Authentication Supply Chain
Map every service that handles authentication for your organization. This includes identity providers (Okta, Azure AD), communication platforms used for MFA (Twilio, SMS gateways), and any service that can reset or bypass authentication.
Monitor for Phishing Infrastructure
Use certificate transparency logs, domain monitoring, and threat intelligence feeds to detect when phishing domains targeting your organization are registered.
Prepare for Cascading Compromises
Your incident response plan should account for scenarios where a supplier's compromise leads to your compromise. This includes having alternative communication channels, backup authentication methods, and clear escalation procedures.
Implement Zero Trust
Cloudflare's layered approach — hardware MFA plus zero-trust access controls — meant that even employees who fell for the phishing attempt couldn't be fully compromised. Defense in depth isn't just a buzzword; it's what saved Cloudflare from a breach.
The Bigger Picture
The 0ktapus campaign is a reminder that supply chain attacks don't always involve compromised code or malicious packages. Sometimes the supply chain being exploited is the human and organizational one — the web of trust relationships, shared infrastructure, and communication channels that connect organizations.
Defending against these attacks requires thinking about security as a property of the entire system, not just individual components. Your organization's security posture is only as strong as the weakest link in your authentication chain, your communication infrastructure, and your employees' ability to recognize social engineering.
How Safeguard.sh Helps
Safeguard.sh takes a holistic approach to supply chain security that extends beyond code dependencies. Our platform helps organizations map their supply chain relationships, including infrastructure and service dependencies. By providing continuous monitoring of your software supply chain and integrating with your security tooling, Safeguard.sh enables rapid assessment of blast radius when a supplier is compromised — helping you answer the critical question: "Are we affected?" within minutes rather than days.