Authorities in the Netherlands have arrested a 21-year-old man from Dordrecht suspected of selling license keys for JokerOTP, a sophisticated phishing automation tool used to bypass multi-factor authentication. This arrest follows the 2025 dismantling of the platform, which facilitated over 28,000 attacks and resulted in at least $10 million in global financial losses.
The recent apprehension of the suspect marks the third major arrest linked to the JokerOTP phishing-as-a-service operation after a multi-year investigation. Previously, police detained the platform's primary developer and a co-developer known by the aliases spit and defone123. The latest suspect is accused of acting as a distributor, using a Telegram account to market the malicious service to other cybercriminals seeking to hijack accounts across thirteen different countries.
The JokerOTP system functioned by automating deceptive phone calls to victims at the exact moment a login attempt triggered a security code. These bots would impersonate representatives from popular services like PayPal, Amazon, or Apple, claiming that a fraudulent login was in progress. By creating a false sense of urgency, the tool tricked users into entering their one-time passwords or PINs directly into the keypad, which the attackers then intercepted to gain full access to the target accounts.
The success of the platform relied on the precise timing of the automated calls, which coincided with the legitimate delivery of authentication codes to the users' devices. This synchronization led many victims to believe they were cooperating with a security measure rather than handing over their credentials to a thief. Once the codes were captured, criminals could rapidly drain bank accounts, make unauthorized purchases, or permanently hijack digital identities.
Police officials have emphasized that the investigation is ongoing and that dozens of individuals who purchased the bot within the Netherlands have already been identified for future prosecution. Authorities have also reached out to the public to reduce the stigma associated with falling for such advanced scams. They noted that the sophistication of these automated traps makes them difficult to detect, as they exploit the very security layers users are taught to trust.
To help the public stay safe, law enforcement recommends regularly checking breach notification services to see if personal data has been compromised. Since these phishing tools often rely on previously stolen credentials found on the dark web, maintaining awareness of data leaks is considered a primary defense. Users are reminded that legitimate companies will never call to request a one-time password or PIN over the phone.
Source: Police Arrest Seller Of JokerOTP MFA Passcode Capturing Tool