In a significant development, three individuals have confessed to their involvement in a sophisticated hacking operation that exploited two-factor authentication (2FA) systems, potentially resulting in gains of up to $10 million. The nefarious scheme was orchestrated by the culprits, Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque, through a website and Telegram group known as OTP Agency. The illegal activities caught the attention of the U.K. National Crime Agency (NCA), which confirmed their participation and unveiled the extensive scope of their illicit enterprise.
The investigation into OTP Agency commenced in June 2020, with the fraudulent activities believed to have begun as early as September 2019. According to the NCA, the operation was a meticulously planned scheme where cybercriminals could bypass 2FA protections to gain access to bank accounts and conduct fraudulent transactions. By the time the website was shut down, approximately 12,500 individuals had fallen victim to these malicious actors.
The OTP Agency enticed members with a variety of subscription plans. The basic package, priced at £30 per week, allowed users to bypass 2FA protections on various banking platforms like HSBC, Monzo, and Lloyds. For those seeking more advanced features, the elite plan, costing £380 per week, provided access to Visa and Mastercard verification sites, enhancing the fraudsters’ capabilities to exploit financial systems.
The OTP Agency was aggressively promoted on Telegram, boasting a membership base of over 2,200 individuals. The group served as a platform to advertise the 2FA bypass service, with Picari and his associates luring clients with promises of quick financial gains. Picari, the mastermind behind the operation, was responsible for the development and maintenance of the website, as well as actively promoting the service on Telegram. Vijayanathan played a role in marketing and support, while Siddeeque provided technical assistance to clients.
Subsequent to their arrest, the trio faced serious charges, including conspiracy to make and supply articles for use in fraud and money laundering, in Picari’s case. The conspiracy charge carries a maximum penalty of 10 years in prison, while money laundering can result in a 14-year sentence. Despite initially denying their involvement, all three individuals have now pleaded guilty and await sentencing at Snaresbrook Crown Court.
NCA Operations Manager Anna Smith underscored the severity of the trio’s actions, stating, “Picari, Vijayanathan, and Siddeeque facilitated fraudsters in accessing bank accounts and stealing money from unsuspecting members of the public. Their convictions serve as a stark warning to anyone contemplating offering similar services; the NCA is well-equipped to disrupt and dismantle websites that jeopardize people’s financial security.”
The financial ramifications of the OTP Agency’s operations are substantial, with estimates suggesting potential earnings of £7.9 million ($10 million) if all members had opted for the elite subscription package. This figure underscores the significant damage that can be caused by such 2FA bypass schemes, emphasizing the importance of cybersecurity awareness and vigilance in combating cyber threats.