Three men have pleaded guilty in a UK court after operating a website that helped cybercriminals bypass multi-factor authentication.
The group, comprising Vijayasidhurshan Vijayanathan, Callum Picari and Aza Siddeeque, ran the OTP.[.]Agency website between September 2019 and March 2021, when the page was closed.
During this period, the NCA suggested The trio could have made up to £7.9m from the operation. The subscription service gave hackers access to technology that would intercept one-time passwords (OTPs) used in the multi-factor authentication mechanisms of several major banks.
The group's basic subscription package charged £30 a week and gave them access to platforms including HSBC, Monzo and Lloyds, allowing them to complete fraudulent transactions and empty victims' accounts.
For a weekly fee of £380, this access was extended to Visa and Mastercard verification sites.
The group promoted its services in a Telegram group with more than 22,000 members, promising customers they could make “profits in a matter of minutes.”
“Ever wanted to get a one-time passcode for any website? Now you can! With OTPAgency you can get a one-time passcode for vbv, over 30 other sites and also Apple Pay… it’s only £30 per week and you really don’t want to miss out on this opportunity,” read one post from Picari in the group.
NCA investigators began investigating the site in June 2020 and estimated that more than 12,500 members of the public were targeted during the period the operation was active between 2019 and 2021.
The group that evaded the MFA “opened the door to scammers”
All three members were charged with conspiracy to manufacture and supply articles for use in fraud, charges that carry a maximum sentence of 10 years.
Picari, who the NCA said was the ringleader and main beneficiary of the operation, was also charged with money laundering, which carries a maximum sentence of 14 years.
Shortly after details of the group's activities facilitating the fraud were published, Krebs on security In February 2021, messages exchanged between Picari and Vijayanathan revealed their attempts to cover their tracks.
“[B]“We are in big trouble… You are going to kick me out… Bro, delete the chat,” Picari warned. “It is so incriminating… Take a look and search for ‘fraud’… Think of all the evidence… we can find… in the OTP chat… they will find [it]”.
Anna Smith, operations manager for the NCA's Cyber Crime Unit, said the group had laid the groundwork for other hackers to steal large sums and their conviction should serve as a warning to others looking to do the same.
“The trio profited from these serious offences by running www.OTP.Agency and their convictions are a warning to anyone offering similar services – the NCA has the power to disrupt and dismantle websites that pose a threat to people’s livelihoods.”
All three initially denied being knowingly involved in a criminal operation but have since admitted the charges and are due to be sentenced at Snaresbrook Crown Court on 2 November 2024.