Website operators promised fraudsters profit within minutes if they subscribed to illegal service
Three men have pleaded guilty to running a website enabling criminals to circumvent banking anti-fraud checks.
A National Crime Agency investigation showed that www.OTP.Agency was run by Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.
Criminals were charged a monthly subscription fee which helped them socially engineer bank account holders into disclosing genuine one-time-passcodes, or give other personally identifiable information.
A basic package costing £30 a week allowed multi-factor authentication to be bypassed on platforms such as HSBC, Monzo, and Lloyds so that criminals could complete fraudulent online transactions.
An elite plan cost £380 a week and granted access to Visa and Mastercard verification sites.
These plans allowed criminals to access personal bank accounts and steal money.
NCA cyber investigators began probing the website in June 2020 and believe over 12,500 members of the public were targeted between September 2019 and March 2021, when it was taken offline after the trio were arrested.
It is not known how much money the group made from the venture but estimates show it would have been around £30,000 if users purchased the basic plan and up to £7.9 million if they had opted for the elite package.
Siddeeque promoted the website and provided technical support to criminal customers.
Picari was its owner, developer and main beneficiary and plugged the service on a Telegram group with over 2,200 members, posting a message in October 2019 which read: “First and last professional service for your OTP stealing needs. We promise you will be making profit within minutes of purchasing our service…”
He also said: "Ever wanted to grab a one time passcode for any website? Well now you can! With OTPAgency you can grab an otp for vbv, 30+ sites and also Apple Pay.. it’s only £30 a week you really don’t wanna miss out”.
The Telegram group was deleted after an article published by Krebs on Security in February 2021 prompted a panicked message exchange between Picari and Vijayanathan.
Picari said: “bro we are in big trouble”… “U will get me bagged”… Bro delete the chat”
Vijayanathan: “Are you sure”
Picari: “So much evidence in there”
Vijayanathan: “Are you 100% sure”
Picari: “It’s so incriminating”...“Take a look and search “fraud”..."Just think of all the evidence”...“that we cba to find”...“in the OTP chat”...“they will find”
Vijayanathan: “Exactly so if we just shut EVERYTHING down”
Picari: “They went to our first ever msg” ...We look incriminating”...“if we shut down”...“I say delete the chat”...“Our chat is Fraud 100%”
Vijayanathan : “Everyone with a brain will tell you stop it here and move on”
Picari: “Just because we close it doesn’t mean we didn’t do it"...“But deleting our chat”..."Will f*^k their investigations”...“There’s nothing fraudulent on the site”
The trio were charged with conspiracy to make and supply articles for use in fraud. Picari was also charged with money laundering.
They all initially attempted to deny knowingly being involved in criminality, but have each since admitted the charges, with Siddeeque being the last to plead guilty this week.
All three will be sentenced at Snaresbrook Crown Court on 2 November 2024.
Anna Smith, Operations Manager from the NCA’s National Cyber Crime Unit, said: “Picari, Vijayanathan and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public.
“The trio profited from these serious crimes by running www.OTP.Agency and their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people’s livelihoods.
“We would also urge anyone using online banking services to be vigilant.
“Criminals may pretend to be a trusted person or company when they call, email or message you. If something seems suspicious or unexpected, such as requests for personal information, contact the organisation directly to check using details published on their official website.”
Read more similar news:
Comments:
comments powered by Disqus
