3 Young Men Who Sold OTP Codes to Fraudsters Await Sentencing in Britain After Guilty Pleas

UK authorities are about to sentence three young men for running a service designed to provide fraudsters with people’s multi-factor authentication codes to break into their bank accounts and steal their money.

Three men have pleaded guilty to running a website enabling criminals to circumvent banking anti-fraud checks, the UK’s National Crime Agency has announced.

Fraud-as-a-service

The service, hosted at www.OTP.Agency was run by Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.

In what can be essentially considered fraud-as-a-service, the gang advertised multi-tier packages charging a subscription fee to socially engineer bank account holders into disclosing genuine one-time-passcodes (OTP) or other personally identifiable information.

For £30 a week, fraudsters could get multi-factor authentication codes of people with accounts on platforms such as HSBC, Monzo and Lloyds. For an elite £380-a-week plan, criminals could gain access to Visa and Mastercard verification sites.

“These plans allowed criminals to access personal bank accounts and steal money,” the NCA says.

Over 12,500 members of the public were targeted between September 2019 and March 2021. The trio were arrested in 2021, marking the takedown of their operation and website.

It is estimated the group made anywhere between £30,000, if users purchased the basic plan, to a whopping £7.9 million if they had opted for the elite package, the NCA said.

The three are charged with conspiracy to make and supply articles for use in fraud. Picari, the developer of the website, is also charged with money laundering. All three have pleaded guilty to all charges and face sentencing at Snaresbrook Crown Court on Nov. 2.

Protect your finances

Stories like these are a stark reminder to use strong, unique passwords for online accounts. Netizens should also refresh those passwords now and then to keep fraudsters from finding current login information in data dumps or password attacks (brute force or dictionary attacks).

More importantly, consumers must stay vigilant as socially engineered scams are on the rise. According to the Bitdefender 2024 Consumer Cybersecurity Assessment Report, text-based scams are the most common threat consumers face today. Yet four in five netizens make sensitive transactions on their phones without adequate cybersecurity practices – all while saying they most fear hackers accessing their money.

The results of our study also indicate that people who can’t recognize a scam may have experienced one without knowing. So it’s important to spot the red flags before it’s too late. A recently published Bitdefender guide lists the five most common signs you’re being scammed and tells you how to protect yourself.

Read: Got a Strange Text? 5 Signs That You’re Being Scammed (and How to Protect Yourself)

Remember that legitimate companies rarely ask you to share sensitive information like passwords, Social Security Numbers, or bank details via email or over the phone. Scammers, however, often ask for this information to steal your identity or money.

Consider using Scamio to combat socially engineered attacks on your finances. If you're suspicious of a certain phone call, email or SMS, Scamio provides a fast and efficient way to find out if you’re being conned. Simply describe the situation to our clever chatbot and let it guide you to safety. You can share with Scamio the exact thing you want to check: a screenshot, PDF, QR code or link. Scamio lets you know in seconds if it’s a scam. Use it anywhere via web browser, Facebook Messenger, or WhatsApp. Scamio is localized for use in the USA, France, Germany, Spain, Italy, Romania, Australia and the UK.