OTP.Agency Platform Administrators Admit Guilt in Bypassing Multi-Factor Authentication
Three men have pleaded guilty to creating OTP.Agency, a platform that provided social engineering services to obtain one-time passcodes (OTPs) for various banks and services in the United Kingdom. These temporary passcodes, also known as OTPs, are a key part of multi-factor authentication systems, and criminals can use them to gain access to victims’ bank accounts and other sensitive services.
According to authorities, more than 12,500 people were affected by the actions of 22-year-old Callum Picari, 21-year-old Vijayasidhurshan Vijayanathan, and 19-year-old Aza Siddeeque between September 2019 and March 2021. After this period, the UK’s National Crime Agency (NCA) shut down the OTP.Agency website.
The NCA reports that Picari was the owner and main developer of the platform, while Siddeeque was responsible for promoting the site and providing technical support to criminals who purchased subscriptions to the service.
How OTP.Agency Operated
OTP.Agency promised its clients delivery of OTPs for more than 30 services, including Apple Pay. Subscriptions ranged from £30 (about $39 USD) for a basic plan to £380 (about $498 USD) for an elite plan. The basic package allowed users to bypass multi-factor authentication at banks such as HSBC, Monzo, and Lloyds, while the elite package unlocked access to Visa and Mastercard verification sites.
In practice, criminals who already had a victim’s login credentials for a particular service still needed the OTP. OTP.Agency offered to obtain this temporary passcode by making automated calls to victims using text-to-speech technology, asking them to provide the OTP. “Criminals would spoof their caller ID to make it appear as if the call was coming from the victim’s bank,” the NCA explained in a video demonstrating how OTP.Agency worked.
Financial Impact and Legal Consequences
Based on information gathered during the investigation, the NCA estimates that the three OTP.Agency operators could have earned up to £7.9 million (over $10 million USD) from their service. “It’s unclear exactly how much the group made from this project, but our estimates range from about £30,000 if users only purchased the basic plan, up to £7.9 million if they chose the elite package,” law enforcement officials stated.
The service operators now face charges of conspiracy to commit fraud and conspiracy to manufacture and supply devices for use in fraud. Picari, the owner of OTP.Agency, is also charged with money laundering. Under UK law, the first two charges carry a maximum prison sentence of up to 10 years, while money laundering is punishable by up to 14 years in prison.