It seems a bit strange to assume that the phishers changed their methods enough to avoid detection at the exact same rate that Googlers moved over to using security keys instead of OTP codes.
I mean, sure, that _could_ be what happened, but I bet it's not.
I mean, sure, that _could_ be what happened, but I bet it's not.