Massive Phishing-as-a-service Operation Taken Down in Joint Operation in Europe

Authorities from the United Kingdom, the Netherlands, and Europol joined forces to dismantle JokerOTP, a phishing-as-a-service (PhaaS) operation used to launch more than 28,000 attacks all over the world.

Investigation and arrests

A three-year investigation ended on April 22 when authorities made multiple arrests in the UKand the Netherlands, according to the UK’s Cleveland Police.

A 24-year-old suspect was arrested in Middlesbrough, UK, and Dutch authorities caught a 30-year-old in Oost-Brabant. Allegedly, these suspects were present online under the aliases' spit' and 'defone123.'

"This case highlights the growing complexity of cybercrime and demonstrates our commitment to combating such threats internationally," said Detective Sergeant Kevin Carter from Cleveland Police.

How JokerOTP worked

JokerOTP was a powerful phishing tool built with a single purpose: to intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes. The cyberattack usually involved attackers impersonating trusted organizations such as banks, cryptocurrency exchanges, and other major service providers.

This is how an attack could go down:

• Attackers contact potential victims, posing as customer service representatives.
• Victims are alerted to supposed suspicious activities on their accounts.
• Victims are pressured into verifying their identities by willingly offering OTPs or 2FA codes received via text messages or mobile applications.
• Once obtained, attackers use the stolen codes to access victims' accounts.
• Attackers then carry out fraudulent transactions or altered security settings to maintain persistent access.
• The stolen credentials were usually sold or traded among cybercriminals. In other situations, they were used for identity theft and various criminal activities.

JokerOTP also had realistic-looking websites that simulated login portals of real institutions, which allowed them to trick users into entering their credentials.

International cooperation was essential

The dismantling of JokerOTP was a joint operation that involved the Cleveland Police's Cyber Crime Unit, Europol, and Dutch law enforcement.

"The international cooperation in this investigation was essential. Cybercrime knows no borders, and neither does our response," Detective Carter also said.

Charges and consequences galore

The arrested suspects now face multiple charges, including fraud by false representation, supplying tools for fraud, unauthorized computer access, money laundering, and blackmail.

Following the arrests, Cleveland Police issued a public advisory advising caution. They recommended that people never share OTPs or 2FA, even when the request seems to come from someone they know or a seemingly legitimate company.