Three men have admitted in court to operating OTP.Agency, an online service that facilitated social engineering tactics to fraudulently obtain one-time passcodes (OTPs) from customers of numerous banks and financial services across the UK.
The platform, which was shut down by the National Crime Agency (NCA) in March 2021, exploited weaknesses in multi-factor authentication (MFA) systems to enable criminal access to sensitive financial information.
OTPs manipulated by gang
The OTPs, or temporary passwords, are typically used as an added layer of security in MFA processes, protecting accounts from unauthorised access. However, OTP.Agency provided criminals with the means to bypass this security layer.
By subscribing to the illegal service, criminals were able to access victims’ bank accounts using both the stolen OTPs and other login credentials, often leading to complete account takeovers and financial losses for the victims.
The NCA has identified Callum Picari, 22, as the main developer and owner of OTP.Agency, while Aza Siddeeque, 19, was tasked with promoting the platform and managing technical support for its users. The third individual, Vijayasidhurshan Vijayanathan, 21, was also implicated in the operation.
Investigators estimate that between September 2019 and March 2021, the trio targeted over 12,500 individuals, successfully stealing financial data through their illicit operations.
OTP.Agency marketed its services as a reliable way to acquire OTPs from over 30 different online platforms, including major financial services like Apple Pay. The service was sold through various subscription tiers, with fees starting at £30 per week for a basic package and rising to £380 per week for an “elite” plan. These plans provided different levels of access and capabilities, depending on the needs of the criminals using them.
To execute their fraudulent schemes, OTP.Agency used automated calls generated by text-to-speech software to contact victims directly. These calls would appear to come from legitimate sources, such as the victim’s bank, tricking them into divulging their OTPs.
NCA tells consumers to remain vigilant
According to the NCA, “criminals disguised the ID so it appeared as a real call from the victim’s bank,” a tactic that significantly increased the success rate of these social engineering attacks. The basic service package enabled customers to bypass MFA for several UK banks, including HSBC, Monzo, and Lloyds. In contrast, the more advanced tiers provided access to bypass the verification systems of Visa and Mastercard (a spokesperson from the NCA has since informed Tech Monitor that neither firm’s systems themselves were compromised.)
The group also maintained a private Telegram channel with over 2,200 members, where they coordinated activities, shared information, and offered customer support to those using OTP.Agency’s services. The NCA’s investigation suggests that the illicit operation could have generated as much as £7.9m for its administrators over its 18-month run.
“Picari, Vijayanathan and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public,” said the NCA National Cyber Crime Unit Operations Manager, Anna Smith. “The trio profited from these serious crimes by running www.OTP.Agency and their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people’s livelihoods.”
Smith went on to warn consumers using online banking services to remain vigilant about attempts by threat actors to steal their details. “Criminals may pretend to be a trusted person or company when they call, email or message you,” she said. “If something seems suspicious or unexpected, such as requests for personal information, contact the organisation directly to check using details published on their official website.”
As a result of their involvement in the OTP.Agency scheme, Picari, Vijayanathan, and Siddeeque now face serious legal consequences. The trio have been charged with conspiracy to commit fraud and conspiracy to make and supply articles for use in fraud. Additionally, Picari, as the owner of the service, faces an extra charge for money laundering.
Under UK law, both conspiracy to commit fraud and conspiracy to create tools for fraud carry potential prison sentences of up to 10 years. Money laundering, however, carries a maximum sentence of up to 14 years in prison. The exact penalties for each individual will be determined by the Snaresbrook Crown Court, with a sentencing hearing set for 2 November.
Written by Swagath Bandhakavi
Read more: What’s the NCA doing about cybercrime?
