The Netherlands Police have arrested a a 21-year-old man from Dordrecht, suspected of selling access to the JokerOTP phishing automation tool that can intercept one-time passwords (OTP) for hijacking accounts.
The suspect is the third one arrested after authorities after a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025.
At the time, authorities arrested the developer of the platform, and in August, a co-developer who used the aliases 'spit' and 'defone123'.
In two years, the JokerOTP malicious service allegedly caused at least $10 million in financial losses in more than 28,000 attacks targeting users in 13 countries.
The seller, whose name has not been disclosed, used a Telegram account to advertise access to the phishing platform via license keys.
Cybercriminals subscribed to the service could configure the tool to automate calls to victims and capture temporary codes or other sensitive data (PIN codes, card data, social security numbers).
The JokerOTP bot could target users of PayPal, Venmo, Coinbase, Amazon, and Apple.
Commands for the JokerOTP bot
source: vxdb
OTPs are temporary codes serving as an additional security layer in account authentication. They can be sent via SMS or email, or generated by a specialized application, when users try to log into an account.
... continue reading