JokerOTP Platform Behind 28,000+ Phishing Attacks Dismantled

A 24-year-old man in Middlesbrough and a 30-year-old man in the Netherlands have been detained in a sweeping law enforcement operation targeting a sophisticated cybercrime network suspected of compromising financial accounts worth £7.5 million.

The arrests, executed by Cleveland Police’s Cyber Crime Unit and the Dutch National Police, mark the culmination of a three-year investigation into a phishing tool designed to extract authentication codes and sensitive personal data from victims.

Technical Anatomy of the Attack: Device Code Phishing and Bot Automation

At the heart of the alleged scheme is a tool leveraging device code phishing, a technique that exploits the OAuth device authorization grant flow.

Attackers generate a unique device code-often using tools like TokenTactics trick victims into entering it on a legitimate authentication page, such as Microsoft’s device login portal.

This grants the attacker an access token, bypassing the need for direct password or multi-factor authentication (MFA) interception.

A typical attack sequence involves:

• Generating a device code via PowerShell: powershellImport-Module C:ToolsTokenTacticsTokenTactics.psd1 Get-AzureToken -Client Graph
• Crafting a phishing lure (e.g., a fake IT support email) with the device code and a legitimate login URL.
• Upon victim interaction, the attacker receives tokens granting access to the victim’s account for up to 90 days.

The tool reportedly functioned as a bot automated software agent capable of launching thousands of attacks, harvesting one-time passwords (OTP) from SMS via notification listeners, and executing fraudulent transactions across 13 countries.

Scale, Financial Impact, and Law Enforcement Response

Investigators estimate the tool was deployed over 28,000 times in two years, compromising accounts and facilitating unauthorized transfers, identity theft, and large-scale money the process of concealing the origins of illicitly obtained funds through complex transactions.

The operation’s technical sophistication included evasion tactics, bot automation, and exploitation of legitimate authentication flows, making detection challenging for both users and security systems.

Today’s arrests were coordinated with support from the North East Regional Organised Crime Unit (NEROCU), the National Crime Agency (NCA), Europol, and hosting providers, who assisted in taking down the malicious platform.

Detective Sergeant Kevin Carter emphasized the unprecedented scale of the investigation and the critical role of international collaboration in disrupting the network.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post JokerOTP Platform Behind 28,000+ Phishing Attacks Dismantled appeared first on Cyber Security News.