A trio of Brits who ran the OTP Agency, a business focused on account takeovers, found themselves in legal trouble after a panicked reaction to a news report in 2021. The National Crime Agency (NCA) revealed details of the case, shedding light on the events that led to the downfall of the fraudulent operation.
The troubles began when Callum Picari, 23, from Hornchurch, Essex, received alarming news from infosec reporter Brian Krebs regarding OTP Agency’s mention in an investigation related to a separate phishing kit operation. In a series of messages, Picari expressed fear and concern about being caught, even going as far as requesting the deletion of chat messages to cover his tracks.
The three individuals behind OTP Agency, including Picari, Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire, and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire, were arrested shortly after the panicked messages were exchanged. They eventually pleaded guilty to their involvement in the illicit business.
OTP Agency operated by offering paying subscribers access to one-time passcodes (OTPs) and personal information obtained through social engineering tactics. The service had a basic tier at £30 per week, providing access to a phone bot designed to trick individuals into disclosing OTPs for various online accounts. The more expensive elite plan, costing £380 per month, allowed subscribers to create automated call messages and provided scripts to target banking and telco platforms.
Investigators recovered scripts aimed at customers of BT, Sky, Virgin Media, HM Revenue & Customs, Mastercard, and Visa. The illicit service aided criminals in bypassing multi-factor authentication steps, enabling them to gain unauthorized access to victims’ accounts and carry out fraudulent transactions.
Despite the successful operation of OTP Agency, the exact amount of money the business generated remains unknown. Estimates range from £90,000 to £7.9 million based on subscriber numbers and package choices.
The roles of the individuals involved varied, with Picari serving as the owner, developer, and primary beneficiary of OTP Agency. Siddeeque provided customer support and promotion, while Vijayanathan helped promote the site and managed the website and Telegram channels.
In January 2023, all three were charged with conspiracy to produce and supply fraudulent articles. They eventually pleaded guilty to the charges, leading to legal consequences. Picari received a sentence of two years and eight months in prison for money laundering, while Vijayanathan and Siddeeque were handed 12-month community orders and ordered to carry out community service.
The NCA emphasized the importance of vigilance in online banking and urged individuals to verify unexpected requests for personal information. The case serves as a reminder of the NCA’s commitment to dismantling fraudulent operations and holding perpetrators accountable for their actions.