In a significant breakthrough in the fight against online fraud, Dutch law enforcement authorities have arrested a 21-year-old man from Dordrecht for allegedly selling access to a sophisticated phishing automation tool known as JokerOTP, which was used to intercept multi-factor authentication (MFA) passcodes and facilitate account takeovers.

The arrest marks the third related detention since a lengthy investigation began into the JokerOTP operation, which authorities dismantled last year. A joint international probe spanning over three years previously led to the arrest of the platform’s developer and a co-developer, identified by the online aliases “spit” and “defone123.”

JokerOTP wasn’t just another phishing kit. It was a phishing-as-a-service (PhaaS) platform that automated real-time social engineering attacks capable of capturing one-time passwords (OTPs)—temporary passcodes used as part of MFA to verify a user is who they claim to be. Once criminals obtained these codes, they could bypass authentication protections on victims’ accounts.

Over its active period, JokerOTP is believed to have been involved in more than 28,000 attacks across at least 13 countries, causing an estimated $10 million in financial losses for victims around the world. Among the targeted services were major platforms such as PayPal, Venmo, Coinbase, Amazon, and Apple.

According to authorities, the suspect used a Telegram account to advertise JokerOTP access to other cybercriminals in the form of license keys. Buyers could then configure the tool to automatically call victims, impersonating legitimate service representatives, and request one-time passcodes at the very moment they were sent by the real platform.

Investigators explained that this timing trick was crucial. Because the fraudulent calls coincided with the delivery of an OTP, many victims—believing they were protecting their accounts—would unwittingly provide sensitive codes, allowing attackers to complete the account takeover.

With access secured, attackers could carry out anything from unauthorized purchases to transferring funds or locking account owners out entirely. The police said the investigation is ongoing, and they have already identified dozens of JokerOTP buyers within the Netherlands who may face prosecution.

Authorities also urged the public not to feel ashamed if they fell victim to such scams, emphasizing that sophisticated social engineering often fools even cautious users. They recommended remaining vigilant for common fraud signals—such as urgent requests for personal data or unusual communication—and utilising secure methods of MFA, such as hardware tokens, whenever possible.

To assess individual risk, users are encouraged to check whether their data has been exposed in known breaches using services like “Have I Been Pwned” or the Dutch police’s own “CheckJack” platform. Data leaks can make individuals more likely targets for automated phishing tools such as JokerOTP.