Police in the Netherlands arrested a 21-year-old as part of a larger investigation into a tool built to steal one-time passwords.

The Dordrecht native was detained on Tuesday by police in East Brabant on accusations he distributed a bot called JokerOTP. The tool is used widely by cybercriminals to intercept the codes delivered by many platforms as part of multi-factor authentication sign-ins. 

Dutch police did not name the man arrested but said this is the third person connected to JokerOTP that has been detained, with the system’s developer and co-developer arrested in April and August 2025 during operations in the Netherlands and the U.K.

The man arrested on Tuesday allegedly sold the bot to other criminals through Telegram and had the bot’s license keys when he was arrested. 

The Cleveland Police Department in the U.K. said last year that over a two-year stretch, JokerOTP was used over 28,000 times in 13 different countries. The hackers behind it were allegedly able to steal at least $10 million. 

Most one-time passwords are sent to a person’s phone by a bank or payment service. According to Dutch officials, JokerOTP allowed cybercriminals to “automatically call victims and then trick them into entering a one-time password to gain access to someone's account.”

"Victims were automatically called by the bot, informing them that criminals were trying to access their accounts. The bot then asked them to enter their one-time password. Victims think they're protecting themselves by providing information,” said Anouk Bonekamp, ​​cybercrime team leader with the East Brabant Police Unit.

“This plays on feelings of uncertainty and fear, while a one-time password is intended to prevent malicious actors from logging into your account. Using the bot, two-factor authentication can be bypassed, allowing the cybercriminal to access victims' accounts and commit fraud."

Officials noted that they have identified multiple people in the Netherlands who purchased JokerOTP and plan to track them down for prosecution. 

Bonekamp said those who purchased it “create many victims, causing not only financial but also emotional harm, such as stress and embarrassment."

The arrests came after a three-year investigation by police departments in The Netherlands and the U.K. One of the two men arrested last year was nabbed in the English town of Middlesbrough. 

Cybersecurity researchers at Bitdefender previously said JokerOTP was a powerful phishing tool that typically involved attackers “impersonating trusted organizations such as banks, cryptocurrency exchanges, and other major service providers.”

“Attackers contact potential victims, posing as customer service representatives. Victims are alerted to supposed suspicious activities on their accounts. Victims are pressured into verifying their identities by willingly offering OTPs or 2FA codes received via text messages or mobile applications,” Bitdefender explained. 

“Once obtained, attackers use the stolen codes to access victims' accounts. Attackers then carry out fraudulent transactions or altered security settings to maintain persistent access. The stolen credentials were usually sold or traded among cybercriminals. In other situations, they were used for identity theft and various criminal activities.”

The platform also had fake websites that looked like legitimate login portals for real financial institutions. 

“Users of the JokerOTP bot platform can rest assured that law enforcement has been watching and will be in touch,” said Kevin Carter, an official with the Cleveland Police’s Cyber Crime Unit.