Cybercriminals impersonate OpenAI’s Sora 2 to steal user credentials

The release of Sora 2 has sparked a wave of impersonation scams, with attackers mimicking OpenAI services to steal credentials and commit crypto fraud.

What happened

The public excitement around OpenAI’s Sora 2 launch has been hijacked by cybercriminals, creating fake domains that appear to be official OpenAI pages. These cloned websites trick users into entering their credentials, API keys, and even crypto wallet details, which are then transmitted to attacker-controlled servers.

According to multiple threat intelligence reports, these campaigns are being used to conduct credential harvesting, crypto wallet theft, and unauthorized access to paid OpenAI API accounts. The operations have led to large-scale fraud across the AI and cryptocurrency communities.

Going deeper

The phishing campaigns rely on subtle domain alterations, such as letter substitutions or misleading subdomains, to appear authentic. The fraudulent Sora portals often promote “exclusive beta access,” replicating OpenAI’s genuine interface. Once users log in, embedded JavaScript frameworks capture keystrokes, record cookies, and bypass multifactor authentication.

Some users have been prompted to download fake “Sora 2 offline installers” that deploy well-known infostealers such as RedLine, LummaStealer, and Vidar. Technical analysis shows that many of these malicious websites are hosted on anonymized VPS servers across Eastern Europe and Southeast Asia. Researchers have linked the infrastructure to financially motivated cybercrime groups involved in earlier crypto scams.

What was said

OpenAI’s security team confirmed it is actively working with registrars to take down spoofed domains and neutralize phishing sites. The company has urged users to verify that all OpenAI-related URLs originate strictly from the official openai.com domain.

Security researchers advise both individuals and organizations integrating Sora 2 to apply DNS whitelisting, rotate exposed API keys, and monitor network logs for irregular login behavior.

The big picture

According to Paubox data, impersonation and spoofing have emerged as some of the most damaging and overlooked threats in healthcare cybersecurity. Attackers often forge email headers or mimic trusted senders such as executives, billing staff, or patients to trick employees into sharing sensitive data or authorizing fraudulent payments. These attacks thrive on poor email authentication, with 79% of breached healthcare domains in early 2025 showing weak or misconfigured DMARC protection. Among Microsoft 365 users, more than a third operated in “monitor-only” mode, effectively allowing spoofed messages to pass through unchallenged.

Paubox’s report also found that 81% of healthcare email breaches this year were linked to hacking or IT incidents involving credential theft or phishing. The increase of generative AI has further intensified the threat, enabling highly convincing emails, voice messages, and even video impersonations. Security experts stress that traditional awareness training is no longer enough. Strong inbound security measures and tools like Paubox ExecProtect are now needed to automatically block spoofing and AI-generated phishing attempts before they ever reach staff inboxes.

FAQs

Why is the Sora 2 launch being targeted by cybercriminals?

Attackers often exploit major tech launches to capitalize on user excitement and trust, using familiar branding to lure victims into phishing schemes.

What are the red flags of a fake OpenAI or Sora site?

Misspelled domains, requests for wallet connections or API keys, downloadable “installers,” and login prompts not hosted on the official openai.com domain are all warning signs.

How can developers protect their API keys from being stolen?

They should restrict API usage to trusted IP ranges, rotate keys frequently, and enable activity alerts for unusual query spikes or transactions.

What are fast-flux techniques mentioned in the investigation?

Fast-flux is a method attackers use to rapidly change IP addresses tied to malicious domains, making takedowns and detection more difficult for authorities.

How should organizations respond if they suspect compromise?

Immediately revoke and regenerate API keys, check DNS logs for suspicious traffic, alert employees to phishing attempts, and report any fake domains to OpenAI’s official support channels.