Three men have been sentenced for running a website enabling criminals to defraud victims by circumventing banking anti-fraud checks.
A National Crime Agency investigation showed that www.OTP.Agency was run by Callum Picari, 23, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.
OTP stands for ‘one-time passcode’.
Criminals were charged a monthly subscription fee for a service which allowed them to access personal bank accounts and other accounts online to commit account takeover, fraud and steal money.
They did so by socially engineering bank account holders into disclosing genuine one-time-passcodes, or giving other personally identifiable information.
A basic package costing £30 a week allowed access to the OTP.Agency spoof call bot, designed to trick victim account holders into disclosing genuine one-time passcodes for their online accounts. This enabled criminals to bypass multifactor authentication on online banking and telecoms platforms, allowing them to access accounts and complete fraudulent transactions.
An elite plan cost £380 per month, which offered both a bespoke ‘free text to speech’ service, where criminals could type any message they wanted an automated call to say, and pre-scripted calls specifically designed by Picari, Vijayasidhurshan and Siddeeque to target customers. Officers recovered scripts for use by criminals pretending to call from BT, Sky, Virgin Media, HMRC, Mastercard and Visa.
NCA cyber investigators began probing the website in June 2020 and believe over 12,500 members of the public were targeted with over 65,000 spoof calls between September 2019 and March 2021, when it was taken offline after the trio were arrested.
It is not known how much money the group made from the venture but estimates show it would have been around £90,000 if the 3,000 subscribers purchased the basic plan once, and up to £7.9 million if they opted for the elite package on a weekly basis.
Siddeeque promoted the website and provided technical support to criminal customers on Telegram in exchange for unlimited use of the website to commit fraud.
Vijayanathan also promoted the website, as well as managing its administration and Telegram channel chat moderators, such as Siddeeque.
Picari was the OTP.Agency owner, developer and main beneficiary. He plugged the service on a Telegram group with over 2,200 members, posting a message in October 2019 which read: “First and last professional service for your OTP stealing needs. We promise you will be making profit within minutes of purchasing our service…”
He also said: “Ever wanted to grab a one time passcode for any website? Well now you can! With OTPAgency you can grab an otp for vbv, 30+ sites and also Apple Pay.. it’s only £30 a week you really don’t wanna miss out”.
The OTP Agency Telegram group was deleted after an article published by Krebs on Security in February 2021 prompted a panicked message exchange between Picari and Vijayanathan.
Picari said: “bro we are in big trouble”… “U will get me bagged”… Bro delete the chat”
Vijayanathan: “Are you sure”
Picari: “So much evidence in there”
Vijayanathan: “Are you 100% sure”
Picari: “It’s so incriminating”…”Take a look and search “fraud”…”Just think of all the evidence”…”that we cba to find”…”in the OTP chat”…”they will find”
Vijayanathan: “Exactly so if we just shut EVERYTHING down”
Picari: “They went to our first ever msg” …We look incriminating”…”if we shut down”…”I say delete the chat”…”Our chat is Fraud 100%”
Vijayanathan: “Everyone with a brain will tell you stop it here and move on”
Picari: “Just because we close it doesn’t mean we didn’t do it”…”But deleting our chat”…”Will f*^k their investigations”…”There’s nothing fraudulent on the site”
The trio were charged with conspiracy to make and supply articles for use in fraud in January 2023. Picari was also charged with money laundering.
They all initially denied knowingly being involved in criminality, but admitted the charges at Snaresbrook Crown Court, with Siddeeque being the last to plead guilty in August last year.
At the same court Monday (27 January) Picari was sentenced to two years and eight months imprisonment. Vijayanathan and Siddeeque were both given 12-month community orders and ordered to pay costs of £760 each. They will also have to undertake 200 hours and 160 hours of community service respectively.
Confiscation proceedings against Picari have commenced.
