Cyber: Police Arrest Seller Of Jokerotp Mfa Passcode Capturing Tool

The Netherlands Police have arrested a a 21-year-old man from Dordrecht, suspected of selling access to the JokerOTP phishing automation tool that can intercept one-time passwords (OTP) for hijacking accounts.

The suspect is the third one arrested after authorities after a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025.

At the time, authorities arrested the developer of the platform, and in August, a co-developer who used the aliases 'spit' and 'defone123'.

In two years, the JokerOTP malicious service allegedly caused at least $10 million in financial losses in more than 28,000 attacks targeting users in 13 countries.

The seller, whose name has not been disclosed, used a Telegram account to advertise access to the phishing platform via license keys.

The JokerOTP bot could target users of PayPal, Venmo, Coinbase, Amazon, and Apple.

OTPs are temporary codes serving as an additional security layer in account authentication. They can be sent via SMS or email, or generated by a specialized application, when users try to log into an account.

These codes have short expiration times and are meant to ensure that access to an account is reserved only to the rightful owner, blocking fraudulent attempts from actors who might have stolen or guessed (brute-forced) the credentials.

Typically, cybercriminals would use stolen credentials, either collected from malware infections or purchased on the dark web, and try to log into a target account. The legitimate owner would receive the OTP required for completing the login process.

At the same time, JokerOTP automated calls to targets, posing as representatives of the legitimate service the attackers were attempting to access, and requesting the one-time password (OTP).

Source: BleepingComputer