International Cybercrime Network Busted: £75M Phishing Tool Uncovered by UK and Dutch Authorities

Sophisticated Cyber Heist Spanning 13 Countries Comes to Light

In a significant blow to the global cybercrime ecosystem, law enforcement agencies in the UK and the Netherlands have dismantled a complex phishing operation responsible for financial fraud worth over £7.5 million. The sting culminated in the arrest of two individuals—one from Middlesbrough, aged 24, and another, a 30-year-old man, from the Netherlands—after a three-year investigation into a highly sophisticated phishing toolkit known to abuse legitimate authentication flows.

This coordinated crackdown, led by Cleveland Police’s Cyber Crime Unit and the Dutch National Police, highlights the growing international cooperation among cybersecurity forces to neutralize rising threats in the digital space. The phishing scheme reportedly relied on a tool that used bot automation and OAuth device code phishing—a method that tricked users into unwittingly giving attackers access to their accounts via legitimate authentication platforms such as Microsoft’s device login.

The attackers bypassed traditional security mechanisms such as passwords and even multi-factor authentication (MFA) by hijacking device code-based tokens. This not only allowed near-undetectable access but also provided control for up to 90 days, enabling sustained fraud operations, identity theft, and even large-scale money laundering across 13 countries.

Key Points Behind the Cyber Operation:

Two arrests were made—one in Middlesbrough and one in the Netherlands.
The cybercrime network allegedly exploited OAuth device code phishing, a method leveraging Microsoft login portals.
Attackers used TokenTactics, a tool that generated device codes and automated attacks via PowerShell scripts.
Victims were tricked into submitting device codes through phishing emails appearing to be from legitimate IT support sources.
Once a device code was entered, attackers obtained access tokens valid for up to 90 days.
The campaign deployed bots capable of intercepting OTPs from SMS, facilitating unauthorized financial transactions and identity theft.
The phishing platform was used over 28,000 times and affected users in 13 different countries.
Europol, the National Crime Agency (NCA), and NEROCU played major roles in dismantling the infrastructure behind the operation.
The investigation underscores how cybercriminals are increasingly abusing legitimate technology flows to avoid detection.

What Undercode Say:

This cyber operation is a textbook example of how sophisticated the digital threat landscape has become. By leveraging OAuth device code phishing, attackers manipulated legitimate login processes to gain unauthorized access without ever touching a password or directly confronting MFA mechanisms. This shift represents a significant evolution in phishing strategies.

The technical anatomy of the attack reveals how traditional email phishing has morphed into something much more nuanced. Device code phishing doesn’t rely on malware or brute-force attacks—instead, it thrives on social engineering and a deep understanding of how cloud authentication protocols work. Tools like TokenTactics demonstrate the weaponization of developer utilities for malicious ends.

From an automation standpoint, the ability to deploy such attacks on a massive scale—28,000 times in two years—shows how scalable cybercrime has become. The attackers weren’t just targeting individuals, but entire infrastructures, operating in a highly organized manner akin to a tech startup, complete with bots, automated OTP interception, and data laundering processes.

What’s more alarming is how effectively they masked their operations. By abusing OAuth flows, these cybercriminals sidestepped most traditional detection systems, making their attacks nearly invisible. Security protocols that once served as robust defense mechanisms—like MFA—are now vulnerable if attackers can manipulate the session tokens through legitimate front doors.

This case highlights a growing necessity for security solutions to go beyond user-side authentication checks. Behavior analytics, session anomaly detection, and zero-trust frameworks are no longer optional but essential. Organizations must evolve to address these invisible and automated threats.

Another dimension worth noting is the operational complexity. The suspects weren’t just working from a single base—they coordinated across borders, using various infrastructure providers to maintain uptime and resilience. This required meticulous planning, operational discipline, and financial laundering expertise to convert stolen assets into usable funds.

The international response, particularly the involvement of Europol and multiple regional crime units, illustrates the scale and urgency governments now attach to cyber threats. Cross-border collaboration is no longer a bonus—it’s the backbone of any effective cybercrime response strategy.

Ultimately, this takedown is a reminder that while cybercriminals grow more advanced, so too must the tools, strategies, and cooperation of those who defend the digital realm. The successful arrests represent more than just justice served—they offer insights into how cybercrime can be proactively thwarted when law enforcement, cybersecurity experts, and the tech industry work together.

Fact Checker Results:

The OAuth device phishing method described is accurate and widely recognized as a growing cyber threat.
The use of automation tools like TokenTactics is consistent with known tactics in phishing-as-a-service models.
Law enforcement agencies confirmed cross-border cooperation and platform takedowns.