(1.)Founded in 2009 by Todd McKinnon and Frederic Kerrest, both of (intelligence agencies adjacent) Salesforce, and briefly known as SaaSure, Okta is a cloud-based identity and access management (IAM) platform that acts as a central hub for authentication and authorization, both On-prem and remote access

👉That access spans local, state, and federal government, the entire identity- perimeter control stack... from election vendors (Dominion, ES&S, KNOWiNK, Konnech, etc.)...
...to pollpads, CradlePoint routers, Voter Registration Election Management Systems, the entirety of elections

Seeded to the tune of $229M by the likes of:

👉Andreessen Horowitz(a16z)
👉Sequoia Capital
👉Greylock Partners
...and a $40M line of credit from Silicon Valley Bank

Then... the network ties

👉WEF partner
👉“Okta For Good” aligned with Soros-linked Tides Foundation & Open Society Foundations
(The same Tides Foundation that shared office space with Dominion in Toronto)
👉Partnered with USAID & UN’s ID2020 digital identity initiative

These aren’t random partnerships

They’re the same network shaping global identity control

Okta isn't just a sign-on integration link

It’s a centralized federated identity choke-point

Once it’s wired into a system, it becomes part of a more broadly shared authentication web where a single compromise can cascade across every linked platform, agency, and vendor

In effect, integration = assimilation into a shared access spine, where one breach can fan out laterally through the entire connected ecosystem

One credential vault = one control plane = countless systems now tethered together

With deep integrations into the perimeter control cartel:

👉CrowdStrike
👉Akamai
👉Palo Alto Networks
👉Solar Winds
👉Cloudflare
👉Barracuda Networks

...and sitting on top as the leader in the identity access infrastructure marketplace, almost all other IAM/SSO systems are compatible and integrate them into their ecosystem

Tie all of them together through Okta access tentacles, and you’ve built the master choke-point for the modern internet

The literal *Oktapus*

Note a few of the operators with pipelines to:

○ Foreign intelligence

○ U.S. election system access

○ CCP-linked institutions

👉 Mark Rogers -
Veteran hacker and former Head of Security for Cloudflare, organizer of DEFCON, Cofounder of the CTI League, along with IDF Unit 8200 Command Ohad Zaidenberg, in 2020

👉 Robert Dixon -
Okta board member of Georgia Tech affiliation - Georgia Tech, who partnered up with Smartmatic and has had access to live election environments, DHS adjacent cyber initiatives ((see June 2019 detail )

👉 Tsinghua University -
Alumni from Xi Jinping's alma mater within engineering and development lines with ties to CCP and Huawei

Coincidence?
No, it's convergence...
...of big tech, foreign intelligence, and election infrastructure
Meeting at the identity choke-point

In the lead-up to the 2020 election, Okta added an integration link to

And speaking of "operators"...

...this Chief Executive seems like EXACTLY the right one to have at the helm of a network that gatekeeps the identity access layer for electionsvote.gov

Okta's tech conference, "Oktane18," in Las Vegas, featured a guest spotlight appearance from none other than CIA Barry, himself

Why would Obama have done a keynote speaking arrangement with the CEO of Okta in 2018?🤔

Oh, because they had a working relationship through his Foundation, for one

...and he made time afterward to visit who?

Andreessen Horowitz

Speaking of CIA

👉 USAID/Soros linked Okta implementation in July 2020 just 4 months before the election -
Approved by Haspel

👉 April 2021, just 5 months after the election, "Moved to Schoox, adjusted dates, deleted sharepoint file" - Burns approval

🚨Okta + ActBlue🚨

The identity layer that could enable mortgage laundering

ActBlue is an Okta tenant

...meaning every admin, contractor, API connection, and federated partner passes through Okta’s authentication layer

When Okta sits at the hub, the spokes can connect anywhere ActBlue links its identity to:

👉Banking portals

👉Loan servicing platforms

👉Real estate or property management software

👉CRM & donor systems with embedded credit/property data

With high-privilege Okta access (compromised or insider):

👉Mortgage origination or servicing accounts could be accessed without hacking those systems directly

👉API connections could be abused to pull property data, seed false records, or push transactions disguised as legitimate disbursements

👉Cross-tenant pivots can link ActBlue to partner PACs or shell nonprofits with mortgage system access
Okta’s trust link does the bridgework

👉Okta super-admins can alter or delete login records, masking the origin of fraudulent transactions.

If mortgage fraud was used as a laundering vector for political funds, Okta’s role wouldn’t be peripheral, it would be the authentication gateway, making it all invisible in the downstream logs

March 2021
Verkada Hack

👉Vector : Okta-linked credentials exploited

👉Impact : Attackers gained root shell control over 150,000+ live security cameras inside police departments, hospitals, schools, and Tesla factories

👉Capability : Okta’s SSO position can bridge into physical security systems and IoT devices

👉Cross-Tenant Risk : If Verkada’s Okta environment was linked to other agencies, attackers could have moved laterally without starting over

Insider implications would greatly expand this capability

March 2022
Lapsus$ Okta Breach

👉Vector : Compromise of a third-party support engineer’s laptop with access to Okta’s internal tools

👉Impact : Screenshots leaked of Okta’s Super Admin dashboard - showing password resets, MFA overrides, and session kills for customers

👉Capability : Administrative god mode across all linked tenants

👉Cross-Tenant Risk : Breach one customer; pivot into others - including government agencies or election vendors

👉Insider Implication: A Super Admin could reset credentials across election vendors and agencies without any “hack” at all

Oct/Nov 2023
Cloudflare Breach

👉Vector: "Nation-state actors" used credentials stolen in an earlier Okta compromise

👉Impact: Pivot into Cloudflare’s internal Confluence and Jira servers; exfiltration of code repositories for identity management, remote access, and Kubernetes configs

👉Capability: One Okta credential can unlock a security vendor’s internal code, enabling backdoor deployment

👉Cross-Tenant Risk: Cloudflare sits in front of thousands of systems - compromise here could cascade to all of them

👉Insider Implication: A malicious insider could plant code to silently intercept or manipulate election traffic in transit

Aug 2023
AU10TIX Breach

👉Vector: Redline Infostealer malware on an Israeli employee’s device exposed Okta credentials

👉Impact: Access to a global identity verification platform used by banks, crypto exchanges, and X (Twitter)

👉Capability: Okta as a backdoor into other identity brokers

👉Cross-Tenant Risk: Linking AU10TIX’s Okta to others enables silent identity laundering at scale

👉Insider Implication: An insider could verify fraudulent or synthetic voter identities across multiple platforms undetected

2024
CrowdStrike/Okta Impersonation Campaign

👉Vector: Fake domains (crowdstrike-okta.com, okta-poc.com) tricked admins into entering credentials

👉Impact: Potential for mass credential harvesting from high-privilege accounts

👉Capability: Okta brand trust weaponized for phishing high-value targets

👉Cross-Tenant Risk: Stolen admin credentials here could be replayed across any linked Okta tenant

👉Insider Implication: A rogue insider could run an internal “phish” to harvest credentials from other agencies or vendors without ever touching the open internet

These incidents prove three things:

□ Okta is a single point of failure for every system it touches

□ Cross-tenant pivoting is real
...compromise one tenant, and you can pivot to others

□ If outsiders can do this with stolen creds, insiders could do more
...with full control, minimal traces, and plausible deniability

When Okta sits on top of Dominion, ES&S, KnowInk, USPS, DMV voter registration systems, cloud vendors, routers, and pollpads…
…a single credential isn’t just a key, it’s a master key

And in the wrong hands, that master key can unlock the entire identity layer of American elections

Every breach you just saw showed how Okta access can:

👉Pivot across tenants

👉Override MFA

👉Reset credentials

👉Inject code into upstream vendors

👉Control physical and digital systems alike

If outsiders can do that with stolen creds…
…imagine what a malicious insider could do, only better

Now here’s the part that matters most:

Okta isn’t hovering on the sidelines
It’s already wired into the core election stack:

👉Dominion Voting Systems –
Okta tenant confirmed; LDAP and Confluence integration; tied into Election Management System (EMS) components for ballot generation and voter record management

👉ES&S – oktapreview.essvote.com domain; AWS-hosted; Cloudflare routes; preview environment confirms active Okta-based SSO integration

👉KnowInk – Integrated with Dominion for real-time pollpad/e-pollbook to EMS connectivity

👉Voter registration portals
(Example👇)
WisVote – Uses MyWisconsinID (Okta-backed) for voter registration access

👉USPS & DMV – Okta identity layer links to voter registration and mail ballot tracking portals

👉Vote.gov – Okta-linked federal voter registration hub

👉Cradlepoint Routers – Okta identity access tied to election telecom hardware, including AT&T 5G/Open RAN networks via Ericsson

Not hypothetical
The same systems that could be breached or pivoted through Okta already sit at the heart of U.S. elections, from voter registration to ballot tabulation

And just like in the breach cases, one compromise here doesn’t just touch one vendor
It can cascade across the entire connected election ecosystem

*Taps the sign*

Thanks to @SheriffLeaf's efforts, we know Dominion’s Serbian activity pertaining to Okta logs had questionable anomalies

Email exchanges between Jeremy Holck and Nevena Djuric highlight one such instance

Ah... but Nevena would understand EXACTLY what was going on

Prior to her employment with Dominion she worked at:

👉Roaming Networks, a systems integrator and digital general contractor specializing in telecommunications and related services offering design, build, integration, and maintenance services for telecommunications infrastructure, WHO HELD
DOMINION’S Belgrade Data Center
and is a 👇
A HUAWEI PARTNER AFFILIATE
(Roaming has changed it's name since to Dot Networks but the signage on their Belgrade headquarters is still Roaming per, Google earth)

She also spent the 5 years between Roaming Networks and Dominion, leading up to the 2020 election, as QA for Elkins Swyers who is an elections vendor for Dominion
@joeoltmannX

👉Aleksandar Lazarevic

Dominion employment and also shows up in Sheriff Leaf's email discoveries

👉Github code👇 "removablemediamanager" for remote access and contains Dominion password "dvscorp08!"

Uploaded as a full commit suggesting it was prebuilt prior to upload

The commented lines (AUTH SSL, getSslStream(), setUseStream(true)) show it’s intended to support explicit/implicit TLS and raw command injection (e.g., SITE commands)

In this commit, the file path is just a placeholder (@"Filepath")
But if wired up to code that monitors a directory, removable drive, or system folders, it could automatically push selected files without user action

This is not a complete remote access trojan (RAT) but as a payload inside a larger tool, it could form the file-transfer / data exfiltration part of a RAT or insider tool

Links to Github repo:
github.com/aleksandarlaza…

github.com/aleksandarlaza…

@joeoltmannX
@PeterBernegger

Totally agree on CrowdStrike

Once this whole thing gets aired out, people will be shocked at exactly how multifaceted and entrenched the subversion all really is, some more than others

(Also, smaller precincts and more of them, election DAY, no mail-ins without special request, cleaned voter rolls, HAND COUNTED AND AUDITED SIMULTANEOUSLY 👊)

So, interesting you should mention Azure

Just hours before the CrowdStrike/Microsoft outtage occurred, Azure services went down for most of the Central U.S., kind of got lost in the aftermath

👉Milan Gospic
"Azure is made in Serbia"

Lead - Serbia Microsoft/Azure development center/ former Country Manager - Erricson @Vltra_MK

x.com/PatriotMarkCoo…

I first came across the Microsoft Azure Center Belgrade detail when I was trying to make sense of something...

... but once I saw this👇

This made way more sense, suddenly
👇👇👇

👆👆👆👆👆👆👆👆👆👆👆
It's a multi-purpose VBS stager/dropper with injection capabilities

👉Stager – sets up execution for follow-on payloads

👉Dropper – writes an executable to disk

👉Injector – performs code injection into legitimate processes

👉Beacon/loader – establishes comms (HTTP/ICMP) and can fetch further code

👉Stealth - creates a hidden window (MITRE T1143) that hides processes, activities, and tools that would otherwise alert to the presence of malicious operations

This, when paired with the FTPS GitHub exfiltration code, represents a classic multi-stage intrusion chain

BOTH ARTIFACTS CONNECTED TO DOMINION INFRASTRUCTURE

Capable of delivering a logic bomb with time-based/conditions-based triggers

The Ammo and the Clip

And Okta (who Dominion was using for identity and access roles) is the barrel through which it was fired

They gave these foreign operators access