Trio sentenced for circumventing banking anti-fraud checks

Three men were sentenced on 27 January for running a website enabling criminals to defraud victims by circumventing banking anti-fraud checks and making up to an estimated £7.9m in subscription fees.

In a statement National Crime Agency said its investigation showed that www.OTP.Agency was run by Callum Picari, 23, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire. OTP stands for 'one-time passcode'.

Criminals were charged a monthly subscription fee for a service which allowed them to access personal bank accounts and other accounts online to commit account takeover, fraud and steal money.

They did so by socially engineering bank account holders into disclosing genuine one-time-passcodes, or giving other personally identifiable information.

A basic package costing £30 a week allowed access to the OTP.Agency spoof call bot, designed to trick victim account holders into disclosing genuine one-time passcodes for their online accounts. This enabled criminals to bypass multifactor authentication on online banking and telecoms platforms, allowing them to access accounts and complete fraudulent transactions.

An elite plan cost £380 per month, which offered both a bespoke 'free text to speech' service, where criminals could type any message they wanted an automated call to say, and pre-scripted calls specifically designed by Picari, Vijayasidhurshan and Siddeeque to target customers. Officers recovered scripts for use by criminals pretending to call from BT, Sky, Virgin Media, HMRC, Mastercard and Visa.

NCA cyber investigators began probing the website in June 2020 and believe over 12,500 members of the public were targeted with over 65,000 spoof calls between September 2019 and March 2021, when it was taken offline after the trio were arrested.

It is not known how much money the group made from the venture but estimates show it would have been around £90,000 if the 3,000 subscribers purchased the basic plan once, and up to £7.9 million if they opted for the elite package on a weekly basis.

Siddeeque promoted the website and provided technical support to criminal customers on Telegram in exchange for unlimited use of the website to commit fraud.

Vijayanathan also promoted the website, as well as managing its administration and Telegram channel chat moderators, such as Siddeeque.

Picari was the OTP.Agency owner, developer and main beneficiary. He plugged the service on a Telegram group with over 2,200 members, posting a message in October 2019 which read: "First and last professional service for your OTP stealing needs. We promise you will be making profit within minutes of purchasing our service..."

He also said: "Ever wanted to grab a one time passcode for any website? Well now you can! With OTPAgency you can grab an otp for vbv, 30+ sites and also Apple Pay.. it's only £30 a week you really don't wanna miss out".

The OTP Agency Telegram group was deleted after an article published by Krebs on Security in February 2021 prompted a panicked message exchange between Picari and Vijayanathan.

Picari said: "bro we are in big trouble"... "U will get me bagged"... Bro delete the chat"

Vijayanathan: "Are you sure"

Picari: "So much evidence in there"

Vijayanathan: "Are you 100% sure"

Picari: "It's so incriminating"..."Take a look and search "fraud"..."Just think of all the evidence"..."that we cba to find"..."in the OTP chat"..."they will find"

Vijayanathan: "Exactly so if we just shut EVERYTHING down"

Picari: "They went to our first ever msg" ...We look incriminating"..."if we shut down"..."I say delete the chat"..."Our chat is Fraud 100%"

Vijayanathan: "Everyone with a brain will tell you stop it here and move on"

Picari: "Just because we close it doesn't mean we didn't do it"..."But deleting our chat"..."Will f*^k their investigations"..."There's nothing fraudulent on the site"

The trio were charged with conspiracy to make and supply articles for use in fraud in January 2023. Picari was also charged with money laundering.

They all initially denied knowingly being involved in criminality, but admitted the charges at Snaresbrook Crown Court, with Siddeeque being the last to plead guilty in August last year.

At the same court today (27 January) Picari was sentenced to two years and eight months imprisonment. Vijayanathan and Siddeeque were both given 12-month community orders and ordered to pay costs of £760 each. They will also have to undertake 200 hours and 160 hours of community service respectively.

Confiscation proceedings against Picari have commenced.

Tim Court, a senior manager from the NCA's National Cyber Crime Unit, said: "As this case shows, the NCA has the ability to disrupt and dismantle websites like www.OTP.Agency, which cause harm to the public, and bring those responsible to justice.

"We would urge anyone using online banking services to be vigilant.

"Criminals can pretend to be a trusted person or company when they call, email or message you. If something seems suspicious or unexpected, such as requests for personal information, contact the organisation directly to check using details published on their official website."

Craig Rice, CEO of the Cyber Defence Alliance, said: "This is another example of UK law enforcement's determination to target criminal services which are industrialising fraud. The Cyber Defence Alliance were able to identify the impact of this service on UK financial services and support NCA investigators, leading to the disruption and arrest of those involved. Law enforcement working with industry makes for a formidable alliance that will disrupt criminal networks."