Cybercriminals Impersonate OpenAI and Sora to Harvest User Credentials

The launch of Sora 2 AI has triggered a surge in malicious activity, as cybercriminals deploy deceptive domains impersonating OpenAI’s official services to steal user credentials and conduct large-scale crypto fraud.

Multiple threat intelligence reports confirm that cloned Sora webpages are being used for credential harvesting, crypto wallet theft, and unauthorized access to paid API plans.

The impersonation campaigns are exploiting user excitement surrounding the new AI release to distribute malware and capture financial data.

Fake Sora Portals Deployed for Phishing

Attackers have registered dozens of lookalike domains that mimic legitimate OpenAI services, often substituting similar characters or using subdomains that closely resemble verified sources.

These fraudulent portals invite users to log in for “exclusive access” to Sora 2 beta and display near-identical replicas of OpenAI’s original interface. When victims input their credentials or API keys, the data is instantly transmitted to external servers controlled by threat actors.

Technical analysis reveals that embedded JavaScript frameworks record keystrokes and capture session cookies to bypass multifactor authentication.

In some instances, users are prompted to download files labeled as “Sora 2 offline installers,” which instead deliver infostealer malware such as RedLine, LummaStealer, and Vidar.

Network inspection of these phishing infrastructures shows that many are hosted on anonymized VPS networks located in Eastern Europe and Southeast Asia.

The infrastructure overlaps with earlier crypto scam operations, linking the campaigns to financially motivated cybercrime groups rather than state actors.

Researchers also discovered traces of tracking beacons designed to monitor click rates, suggesting a monetized phishing model that sells stolen credentials on darknet markets.

Stolen Accounts Used for Crypto Fraud

Compromised accounts are being exploited to perform high-volume API transactions and drain funds linked to crypto wallets.

Investigation logs indicate that stolen OpenAI credentials are traded in underground forums, where fraudsters use them to generate synthetic content or mine data at the victims’ expense.

In other cases, attackers send fake upgrade emails, urging users to “link wallets for advanced AI features,” ultimately diverting cryptocurrency to attacker-controlled addresses.

DNS telemetry confirms that many compromised domains redirect to secondary malicious servers through fast-flux techniques, making takedown efforts challenging for security providers.

OpenAI Response and Mitigation Steps

OpenAI’s security team has begun coordinated domain takedowns, working with registrars to eliminate spoofed websites and neutralize ongoing phishing activity. Users are advised to verify all OpenAI and Sora-related URLs, ensuring they originate from the official openai.com domain.

Organizations integrating Sora 2 into workflows should implement strict domain whitelisting, monitor DNS queries for suspicious lookups, and rotate API keys if compromise is suspected.

Enhanced vigilance, coupled with proactive investigation of login anomalies, remains essential as impersonation campaigns targeting AI ecosystems continue to escalate across the cybersecurity landscape.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cybercriminals Impersonate OpenAI and Sora to Harvest User Credentials appeared first on Cyber Security News.