Bad Packets by Okta

Anyone reusing credentials on their Fortinet device? Asking for a friend on AS17511 (219.75.254[.]166) who keeps failing to get their password right.

Full analysis of the BreachForums network and user data, including top ASNs, VPN usage and blocklist recommendations, are all in our latest blog post. okta.com/blog/threat-in…

BreachForums never verified email addresses. A forum admin even told members to use disposable ones. 81% used Gmail anyway. Most of those burner addresses appear nowhere else. The remaining ~5,800 showed up in infostealer malware logs.

We analyzed over 300,000 rows of the January 2026 BreachForums database leak to find their users' anonymizers of choice. Join us in the cantina. 🧵

A browser extension promised security. In reality, it was a Trojan horse for your crypto. We tracked the extension, mapped the infrastructure and pulled the plug. Full breakdown of the takedown: bit.ly/40E9i9N

Watch @Okta’s exclusive interview with @HHieupc, a cybercrime investigator who explains the Vietnamese cybercrime-as-a-service ecosystem and how much of it operates in the open. Read our full research here: bit.ly/4r6NgHn

Fake accounts fuel global fraud. Our latest research uncovers a sprawling cybercrime-as-a-service ecosystem in Vietnam that sells fake and hacked accounts on a massive scale. Read our full research and raise your identity security posture: bit.ly/4b7Shtp

University students using "tutors" are being extorted for thousands, but the risk is bigger: When students turn over login credentials, malicious actors can pivot to sensitive university systems and perpetrate fraud. okta.com/blog/threat-in…

Your star hire might be a DPRK agent. 🇰🇵 @Okta reveals how state actors use stolen LinkedIn IDs, AI-generated faces, and forged git commits to bypass HR. Verify identities before they're on your payroll! #opentowork bit.ly/4quh8go

Google disrupted IPIDEA, a major residential proxy network. Our data confirms a sharp drop in their active IPs following the action. 📉 Protect your Okta org today: block IPIDEA and residential proxies with dynamic network zones bit.ly/3OiZVJz

Our promise to you: serving up the bad packets. That's why we wrote about how to use threat intel right in @Auth0 Actions. bit.ly/494lt4M

@heymingwei Thanks for the enrichment! AS200373 forever maintaining its place on the leaderboard.

Still tracking the bad packets, now powered by Okta log data! Top ASNs used in recent signup fraud attacks: • 212238 • 16276 • 44477 • 26548 • 200373 • 137409 • 214483 • 13213 • 397368

Revamped site, new IoCs. In addition to bad ASNs, we've got disposable email domains beloved by threat actors inside 👉 bit.ly/4b4GUUE

TTPs change, but you can keep up. Read our case study on how an @auth0 tenant used JA3 signatures to block 20mm+ fraudulent signup requests. bit.ly/4jTrAwv

Our latest research reveals DPRK threat actors are targeting more than just tech. 📊 6,500+ fake interviews 🏢 5,000+ companies 🌍 27% of targets outside the U.S. 🏦 Sectors hit: finance, healthcare, public admin & more Read the full report here: bit.ly/48aNNCw

@geeknik The RNG has chosen @geeknik as the winner of our BSides Las Vegas ticket! Please DM us with your contact information and we'll send it along to you.

Bad Packets is giving away a BSides Las Vegas ticket. Drop a comment below for a chance to win! Rules: One winner selected at random. No purchase necessary to enter. Government employees ineligible to participate. Void where prohibited. Winner will be announced on July 28th.