Detained in Dordrecht a young man for selling access to JokerOTP, the phishing platform that steals single-use passwords with false calls

The Dutch authorities recently arrested a 21-year-old Dordrecht young man accused of selling access to JokerOTP, an automated phishing platform that facilitated the capture of single-use passwords (OTP) for account usurping. According to the police, this detention is the third one related to an investigation that lasted several years and that had already disarticulated the JokerOTP operation in 2025 as a criminal service traded to other offenders.

JokerOTP operated as a physical-as@-@ a@-@ service (PhaaS):: The perpetrators offered licenses and access to a panel and bots that could automate calls and messages to victims to request temporary codes just as they reached their devices. The mechanics was simple and effective: the attackers used committed credentials to initiate access attempts and, at the same time, the bot called the victim posing as the legitimate entity requesting the OTP code. Because of the temporary coincidence between the delivery of the code and the fraudulent call, many people thought they were working together to protect their account and delivered the code without suspicion.

The consequences were considerable. In just a couple of years, the platform is linked to tens of thousands of incidents that affected users in more than a dozen countries and caused estimated financial losses of about $10 million. Some of the most affected services included payment and e-commerce platforms widely used, such as PayPal, Venmo, Coinbase, Amazon and Apple. The Dutch police note on the most recent detention is available to support these claims and to follow the developments in the case. Here. and a media coverage with technical details and chronology in BleepingComputer.

The access sale was made on messaging channels such as Telegram, where license keys were offered to use the service. Buyers, who have already been identified by the police on numerous occasions within the Netherlands, could configure the software to capture not only authentication codes, but also PIN, card data and other sensitive data that would allow them to take over accounts or move funds to accounts controlled by criminals. A police report in the United Kingdom documenting related arrests and the scope of the attacks also helps to understand the international impact of the operation Here..

Why was this scam working? Because the OTP codes are designed to expire quickly and confirm that the login is the legitimate owner. But their strength depends on how they are protected and how they are delivered: the codes sent by SMS or email are more vulnerable to this type of social deception if a human or automated element is added - like a false call - that convinces the victim to enter the code. The explanation of the investigation and the testimony of the team investigating the case are available in the Dutch police statement, which details how the bot automatically contacted the victims in order to ask them for the code, causing many to collaborate by believing to help protect their account see communication.

In addition to criminal detention, the authorities have stressed that those who suffer such fraud should not be ashamed: attacks combine social engineering and technical synchronization to induce confidence and fear, creating a sense of urgency that clouds the trial. The police recommend reviewing fraud signals such as unexpected PIN or passwords requests and artificial emergency creation, and remember that there are tools to check if your data have been exposed in known gaps. Among the public tools mentioned by researchers are Have I Been Pwned and the Dutch service to check leaks CheckJeHack.

What can a user do to reduce risk? The most solid recommendation is to choose authentication mechanisms that are phishing-resistant: TOTP-based authentication applications have better resistance than SMS, but ideal are password-free authentication solutions or tokens hardware that implement standards like FIDO2. The official agency guides recall that multi-factor authentication based on server-verifiable factors and free of forwardable code vectors greatly reduces the risk that a third party can re-use an intercepted code. To deepen good technical practice, it is appropriate to review NIST's recommendations on authentication (SP 800-63B) NIST SP 800-63B and the US cybersecurity agency's guidance on MFA CISA - Multi-Factor Authentication.

The investigation continues and, according to the police, several buyers of the JokerOTP service in the Netherlands have been identified and will be prosecuted in due course. This case recalls that cyberattackers not only create technical tools but also market and professionalize them, making it essential to combine technological prevention with digital literacy: to know how to recognize manipulation tactics, not to share codes under any circumstances and to prefer fraud-resistant authentication methods.

In the end, the best defense is not only a specific technology, but a mix of appropriate technical controls, monitoring of the data exposures themselves and a critical attitude to unexpected calls and messages that ask for sensitive information. The recent detention in Dordrecht shows that law enforcement can follow the lead of criminal networks that monetize these vulnerabilities, but also a sign for users and companies to update their defenses and habits.