Full Report
The Netherlands Police have arrested a a 21-year-old man from Dordrecht, suspected of selling access to the JokerOTP phishing automation tool that can intercept one-time passwords (OTP) for hijacking accounts. [...]
Analysis Summary
# Tool/Technique: JokerOTP
## Overview
JokerOTP is a phishing automation tool delivered as a Phishing-as-a-Service (PhaaS) platform. Its primary function is to automate the interception of One-Time Passwords (OTPs) used in Multi-Factor Authentication (MFA) schemes, enabling threat actors to hijack user accounts by mimicking legitimate service representatives through automated calls to victims.
## Technical Details
- Type: Attack Tool (Automation Platform/Service)
- Platform: Unknown (Implied server-side infrastructure for automation and VoIP/calling capabilities to target end-users via phone)
- Capabilities: Automation of phishing workflows, integration with stolen credentials, automated voice calls to victims, capture of sensitive data (including OTPs, PIN codes, card data, and social security numbers).
- First Seen: The operation has been under investigation for three years, with the platform being dismantled in April 2025.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (In the broader context of PhaaS delivery, though the primary attack vector described is voice deception)
- **TA0007 - Credential Access**
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files/Data (Stolen credentials used as input)
- **TA0006 - Credential Access** (The ultimate goal is to use stolen credentials + captured OTP)
- T1178 - Exploitation for Privilege Escalation (If account takeover grants higher privileges)
- *(Note: The core technique of OTP interception via social engineering/automation doesn't have a perfect, direct mapping, but **T1566 Phishing** adapted with voice interaction is the closest fit for the deception aspect, while **T1059.003** could relate to command execution if the tool interface allows it, though **T1559 - Inter-Process Communication** is less relevant than the direct interaction.)* The social engineering aspect leans heavily on **T1566.003 (Phishing: Voice)** if recognized as a specific sub-technique, or the general **T1566**.
## Functionality
### Core Capabilities
- Automating the attack chain required to bypass MFA protections.
- Utilizing stolen credentials (collected via previous malware infections or purchases).
- Interacting with victims via automated voice calls that mimic trusted service providers.
- Requesting and capturing the time-sensitive OTP entered by the victim during the call.
### Advanced Features
- Targeting specific high-value services, including PayPal, Venmo, Coinbase, Amazon, and Apple.
- Automated harvesting of various sensitive financial and personal data (PINs, card data, SSNs) in addition to OTPs.
- Phishing-as-a-Service (PhaaS) model allowing third-party cybercriminals to subscribe via license keys.
- Creation of urgency cues through the automated call to manipulate victims into cooperating.
## Indicators of Compromise
- File Hashes: N/A (Information pertains to the online service/platform, not specific malware artifacts observed in this summary)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The operation relies on an automated VoIP system overlaid on existing online services, specific C2 infrastructure is not detailed in the provided text.)
- Behavioral Indicators: Automated VoIP calls targeting users immediately following a credential attempt on a legitimate service (e.g., Amazon, PayPal). Requesting sensitive information like OTPs or PINs under the guise of account security verification.
## Associated Threat Actors
- The developer (arrested April 2025)
- Co-developers using aliases 'spit' and 'defone123' (arrested August 2025)
- Unnamed sellers (e.g., the 21-year-old arrested in Dordrecht)
- Numerous subscribing cybercriminals ("dozens of JokerOTP bot buyers in the Netherlands have already been identified")
## Detection Methods
- Signature-based detection: Not applicable based on the provided text, as it describes an operational service rather than static malware.
- Behavioral detection: Monitoring for unusual outbound high-volume automated calling activity originating from potentially compromised infrastructure aimed at social engineering targets. Detecting anomalous login attempts preceded shortly by the victim providing an OTP outside of standard portal entry.
- YARA rules: N/A
## Mitigation Strategies
- Users should be highly suspicious of unexpected contact (calls or texts) requesting immediate OTP entry, even if the caller appears to be from a legitimate service.
- Implementing layered MFA solutions that do not rely solely on SMS or voice calls (e.g., hardware tokens or authenticator apps not tied to the phone number).
- Staying vigilant regarding data breaches (checking services like Have I Been Pwned or CheckJack).
- Training users to recognize urgency created by attackers attempting to rush verification processes.
## Related Tools/Techniques
- General Phishing-as-a-Service (PhaaS) platforms.
- Tools that automate vishing (voice phishing) attacks.