Doko's Panel is a sophisticated real-time phishing platform used by multiple criminal groups including ShinyHunters and BlackFile. It consists of four distinct infrastructure clusters running customized variants of the phishing tooling. The attacks combine voice phishing (vishing) with adversary-in-the-middle (AITM) techniques to target enterprise identity providers (Okta, Microsoft, Google) and cryptocurrency exchanges. Victims receive calls impersonating IT helpdesk personnel and are directed to combosquatted domains where their credentials and multi-factor authentication tokens are manually relayed in real-time to the attackers. The platform has been linked to confirmed data breaches involving tens of millions of records from major companies such as SoundCloud, Match Group, Betterment, and Crunchbase. The operators use AI language models extensively to develop phishing infrastructure and exploit legitimate services to quickly deploy and rotate attack infrastructure, complicating detection and takedown efforts. Over 400 malicious domains have been identified in connection with these campaigns.

This threat enables attackers to bypass multi-factor authentication by manually relaying credentials and MFA tokens in real-time, facilitating unauthorized access to enterprise identity provider accounts and cryptocurrency exchange accounts. The confirmed breaches have resulted in the exposure of tens of millions of user records from high-profile companies, indicating significant data compromise and potential downstream impacts such as identity theft and financial fraud. The use of voice phishing combined with adversary-in-the-middle techniques increases the likelihood of successful credential theft and session hijacking. The rapid deployment and rotation of infrastructure using AI and legitimate services complicate defensive measures and increase the operational resilience of the threat actors.

No official patch or fix is applicable as this is a phishing campaign rather than a software vulnerability. Defenders should focus on user awareness training to recognize vishing attempts and suspicious domain names, especially combosquatted domains mimicking legitimate services. Organizations should implement strong anomaly detection on authentication attempts and consider additional verification methods beyond MFA tokens that can be relayed. Monitoring for the identified malicious domains and hashes can aid in detection and blocking. Since the threat actors rapidly rotate infrastructure, continuous threat intelligence updates and domain monitoring are recommended. There is no vendor advisory indicating that no action is required or that the threat is already mitigated; therefore, proactive defensive measures are advised.