GV’s First French Bet Backs MokN’s Phish-Back Playbook

MokN, a French cybersecurity firm that turns stolen logins into early-warning alerts, has raised $15 million in Series A funding led by GV, the venture arm of Alphabet. The round marks GV’s first investment in a French startup. Datadog joined as a strategic backer, alongside existing investors Moonfire and OVNI Capital plus a group of angels.

The headline writes itself around Google’s money crossing the Channel. The more interesting wager sits underneath it: MokN is selling a category that barely exists yet, called Active Identity Recovery, at a moment when the breach data that built the case for it is quietly shifting shape.

GV and Datadog Bet on a Three-Minute Trap

Founded in 2024 by Gautier Bugeon, Antoine Coudoux, Alexis Georges and Adrien Casteleiro, MokN sells a deceptively simple idea. It plants fake corporate login portals on a company’s external perimeter and waits for attackers to try stolen passwords against them. The decoys validate those credentials in real time, then fire an alert the moment a working one is tested.

That product, called Baits, is built for speed. The company markets it on a three-minute setup through a SaaS (software-as-a-service) dashboard, with no changes to existing infrastructure. The pitch landed quickly. MokN now protects more than one million users across large enterprises and mid-sized organisations, and says it has processed over a billion login attempts.

The Series A follows a credential deception product that shipped to paying customers fast, and a 2.6 million euro seed round closed in October 2025. Seven months later the company has roughly six times that on its balance sheet, a pace that says more about investor appetite for identity defense than about any single quarter of revenue.

Why Stolen Logins Keep Slipping Past Defenses

Credentials remain the cheapest way through a locked door. For two consecutive years, stolen logins were the leading initial access route in Verizon’s annual breach investigations report, the most widely cited dataset in the industry, appearing in 32% of breaches in the 2025 edition.

The supply chain feeding that number has exploded. Infostealer malware, which quietly scrapes saved passwords and live session tokens off infected machines, has turned credential theft into an industrial process. And the tokens matter as much as the passwords, because a replayed session cookie sails straight past multi-factor authentication (MFA, the second-step verification most firms rely on).

There is a twist that complicates the bull case. Verizon’s 2026 report found vulnerability exploitation had overtaken credential abuse as the top breach vector, with unpatched flaws behind roughly 31% of breaches and credential abuse falling to 13%. The volume of stolen logins keeps rising; their share of headline breaches just dipped. MokN is selling into a problem that is enormous and slightly less fashionable than it was a year ago.

How Baits Flips the Attacker’s Own Move

Most identity tools watch for the damage after it happens. Baits tries to intercept the attacker mid-swing. The trick is to give a criminal exactly what they expect to find, a login page that looks like the real thing, and then learn from what they type.

MokN deploys two kinds of decoys. Off-the-shelf traps mimic the portals attackers probe most, and custom ones map to a specific organisation’s threat profile. The targets it imitates read like a list of every breach post-mortem from the past three years:

• SSL VPN (virtual private network) portals, the front door for remote network access
• Webmail logins, the prize after a successful phishing email
• Active Directory and other identity stores attackers hit with password-spraying campaigns
• Bespoke pages mirroring executive or VIP accounts that warrant extra cover

The payoff is signal quality. Because a credential only triggers an alert once it has been validated against a live system, the security operations center (SOC, the team that triages threats) gets a confirmed compromise rather than a noisy maybe. In MokN’s own case studies, CEO credentials surfaced inside a week of a password reset, and one campaign coughed up 40-plus working logins, none of which had yet appeared on any dark-web listing.

The Dark-Web Monitoring Moat MokN Wants To Crack

For a decade, the default answer to credential theft was to watch the dark web. Vendors scrape criminal forums and stealer-log marketplaces, then tell customers when their employees’ passwords show up for sale. It is a useful service, and a fundamentally reactive one, because by the time a credential is listed it has often already been used.

MokN’s argument is that the listing is the wrong place to wait. Its decoys catch credentials being tested before they are advertised, which the company says it has now done with hundreds of compromised logins that never appeared in public leak databases at all.

The founder frames the raise as a step toward a broader standard rather than a single better mousetrap.

The rapid adoption by major companies and the results achieved with our first solution have confirmed one thing: this approach must go further. Today, we are laying the groundwork for Active Identity Recovery by extending proactive recovery to all forms of identity, with the ambition of making it a new global standard for identity protection.

That was Gautier Bugeon, MokN’s chief executive and co-founder, describing where the funding points. The ambition is real. So is the gap between one shipping product and a global standard.

Why Datadog’s Check Carries Strategic Weight

GV’s name draws the press, but the strategic investor on the cap table may matter more day to day. Datadog sells observability and security monitoring to the same enterprise buyers MokN is chasing, and its platform already ingests the kind of validated alerts Baits produces.

For a young vendor, a check from a public security-tooling company is a distribution signal as much as a financial one. It hints at integration paths and credibility with the buyer who has to justify yet another line item in a crowded security budget. MokN’s raise lands amid a run of European deep-tech rounds, from Orbital Industries’ $50 million cooling-fluid raise to Giraffe360’s $10 million Series B, but a strategic backer with an existing customer base is a different kind of asset than a pure financial sponsor.

It also raises the obvious question of independence. Strategic money tends to come with gravitational pull toward the investor’s roadmap, and MokN will have to balance Datadog’s interests against staying a neutral layer that fits any stack.

What the $15 Million Has To Prove

The cash funds three things at once: a deeper research and engineering bench, expansion in France and the United States, and a fresh push into the United Kingdom through new offices. The harder mandate is product. MokN wants to build what it calls the first multi-product platform for active identity theft protection.

That means moving beyond the login portal. The company has flagged customer accounts, stolen browser cookies and hijacked sessions as the next vectors it intends to cover, exactly the attack surface that infostealers have made so profitable and that traditional tools handle poorly. If it ships, the deception model stops being one alarm and starts being a layer.

The risk is symmetric. Decoys work because attackers do not know which portal is real, and that advantage erodes the moment the technique becomes common enough to fingerprint and route around. A single clever product can be copied; a category has to be defended.

If the phish-back trap scales into the cookie and session products MokN is promising, GV’s first French wager becomes the seed of a real category. If attackers simply learn to skip the decoys, the company is back to selling one sharp alarm in a market already full of them.