Full Report
The Dordrecht native was detained on Tuesday by police in East Brabant on accusations he distributed a bot called JokerOTP, which is used widely by cybercriminals to intercept the codes delivered by many platforms as part of multi-factor authentication sign-ins.
Analysis Summary
# Threat Actor: JokerOTP Distributor Network (Affiliate/Seller)
## Attribution & Identity
The summary focuses on an individual, a 21-year-old Dordrecht native, arrested by East Brabant Police in the Netherlands. This individual is identified as a distributor/seller of the JokerOTP bot, not the primary developer. Arrests in this investigation also include the system's developer (arrested April 2025) and co-developer (arrested August 2025).
**Known Aliases and Associated Groups:**
* The arrested individual is associated with the **JokerOTP** tool/platform network.
* Other associated individuals include the tool's **developer** and **co-developer**.
## Activity Summary
The arrested individual was detained for allegedly distributing the **JokerOTP** bot, which is widely used by cybercriminals to intercept multi-factor authentication (MFA) one-time passwords (OTPs). This specific arrest is part of a three-year international investigation involving Dutch and U.K. police. The individual allegedly sold the bot license keys via **Telegram**.
Over a two-year period, JokerOTP was reportedly used over 28,000 times across 13 countries, resulting in the theft of at least $10 million.
## Tactics, Techniques & Procedures
The actor network utilized the automated JokerOTP bot to facilitate MFA bypass:
* **Automated Social Engineering/Voice Phishing:** The bot automatically called victims, impersonating security access attempts, and tricked victims into verbally providing their OTPs.
* **MFA Bypass:** By obtaining the OTPs, cybercriminals successfully bypassed two-factor authentication mechanisms.
* **Distribution Method:** The specific affiliate used Telegram to sell the bot's license keys to other criminals.
* **Impersonation:** The broader JokerOTP operation involved impersonating trusted organizations (banks, crypto exchanges) during phishing attempts (Bitdefender observation).
* **Infrastructure:** Platform included fake websites mimicking legitimate financial institution login portals.
**MITRE ATT&CK IDs:** (Not explicitly mentioned in the text, but implied techniques relate to: T1562.006 - Bypassing Security Controls: Multi-Factor Authentication, T1566.001 - Phishing: Spearphishing Attachment/Link via Telegram distribution, T1598.003 - Spearphishing Link/Attachment).
## Targeting
* **Sectors:** Financial institutions (banks, cryptocurrency exchanges) and "many platforms" requiring MFA are the primary targets based on the tool's operational scope.
* **Geography:** Operations spanned 13 different countries. Arrests/investigations involved the **Netherlands** and the **U.K.** (Cleveland Police involvement).
* **Victims:** Individuals whose financial or service accounts were compromised, leading to fraud and emotional/financial harm.
## Tools & Infrastructure
* **Malware Families Used:** **JokerOTP** (described as a bot/powerful phishing tool).
* **Infrastructure (C2, domains, IPs):**
* **Distribution:** Sold via **Telegram**.
* **Phishing Kit:** Included fake websites mimicking legitimate financial portals.
## Implications
The activity highlights the danger of sophisticated, automated social engineering attacks designed to defeat modern MFA protections. The successful compromise of these mechanisms facilitates large-scale financial fraud. The ongoing arrests demonstrate successful international law enforcement cooperation against the entire supply chain involved in distributing cybercriminal tools, impacting sellers, developers, and purchasers.
## Mitigations
* **Enhance Authentication Security:** Move beyond easily phishable SMS-based OTPs where possible (e.g., use FIDO2/hardware tokens or app-based TOTP authenticated outside the vulnerable phone channel).
* **User Training:** Educate users specifically on unsolicited automated calls claiming account access issues, emphasizing that legitimate institutions will not request OTPs over the phone in this manner.
* **Investigative Focus:** Law enforcement will continue to track and prosecute those who purchased and utilized the JokerOTP software.