UK Men Operating OTP Theft Service Plead Guilty to Fraud

• Three men administrating a service for stealing one-time passwords pleaded guilty in court.
• The service provided cybercriminals who already had victims’ bank credentials with the necessary validation code.
• Thousands of people were targeted by the criminal OTP Agency platform in a relatively short activity time.

Three individuals from the United Kingdom have admitted guilt in administrating OTP Agency, a previously popular online service aimed at intercepting banking and other services’ one-time passcodes (OTPs) used in multi-factor authentication (MFA) processes, according to a statement by the UK's National Crime Agency (NCA).

The guilty pleas come from Callum Picari, 22, of Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire, NCA said.

Picari was the service's owner, developer, and main beneficiary. In February 2020, his personal information and ownership of OTP Agency were revealed in a “dox” on the former cybercrime forum Raidforums.

The accused conducted a social engineering operation that intercepted OTPs from customers of various banks and services in the U.K. Launched in November 2019, OTP Agency gained traction as a tool for scammers who had already acquired victims' bank credentials. 

By entering the target's phone number and name, the service would place an automated call warning of unauthorized activity, prompting the victim to submit an OTP sent via SMS. These codes were then relayed to the scammer's panel on the OTP Agency website.

KrebsOnSecurity reported on OTP Agency in 2021, noting its operators falsely claimed legitimacy as an anti-fraud service. However, the evidence pointed to a clear intent to facilitate account takeovers. 

Following the publication, OTP Agency shut down its site and deleted its Telegram channel. Shortly afterward, it reemerged with a new channel and login page, assuring customers that their credentials remained intact. However, the site was taken offline less than a month later when the three individuals were arrested.

The NCA said it began investigating the service in June 2020, and OTP Agency users targeted more than 12,500 victims during the 18 months the service was active.
Recently, online scammers have been able to obtain OTPs that victims receive via text messages, voice calls, email, instant messages, or mobile app push notifications via complex hacks with multiple stages, including phishing and OTP bots managed via a special browser-based panel or a Telegram bot.