Three individuals have admitted guilt in connection with a sophisticated hacking operation that exploited two-factor authentication (2FA) systems, potentially netting up to $10 million. The 2FA bypass operation was orchestrated by culprits, Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque, through a website and Telegram group known as OTP Agency. Their activities drew the attention of the U.K. National Crime Agency (NCA), which confirmed their involvement and revealed the extensive reach of their illicit enterprise.
The investigation into OTP Agency began in June 2020, but the fraudulent activities were believed to have commenced as early as September 2019. According to the NCA, the operation was a well-orchestrated scheme where cybercriminals could bypass 2FA protections to access bank accounts and execute fraudulent transactions. By the time the website was taken offline, approximately 12,500 individuals had been targeted by these malicious actors.
Details of the 2FA Bypass Operation
The OTP Agency offered a range of subscription packages to its members. The basic plan, priced at £30 per week, allowed users to bypass 2FA protections on various banking platforms such as HSBC, Monzo, and Lloyds. For those seeking more advanced capabilities, the elite plan, costing £380 per week, provided access to Visa and Mastercard verification sites, further enhancing the fraudsters’ abilities to exploit financial systems.
The OTP Agency was marketed aggressively on Telegram, where it boasted a membership base of over 2,200 individuals. The group was used to promote the 2FA bypass service, with Picari and his associates promising quick financial gains for their clients. In a message posted in October 2019, Picari wrote: “First and last professional service for your OTP stealing needs. We promise you will be making profit within minutes of purchasing our service…” Such pitches highlight the operational nature of this 2FA fraud agency.
Picari, Vijayanathan, and Siddeeque’s roles were well-defined within the operation. Picari, the mastermind behind the OTP Agency, was responsible for developing and maintaining the website. He also actively promoted the service on Telegram. Vijayanathan assisted in marketing and support, while Siddeeque provided technical assistance to clients utilizing the service. The conversation revealed their awareness of the incriminating evidence and their efforts to mitigate the damage by deleting communications.
Legal Proceedings and Sentencing
Following their arrest, the trio faced serious charges, including conspiracy to make and supply articles for use in fraud and, in Picari’s case, money laundering. The conspiracy charge carries a maximum penalty of 10 years in prison, while money laundering can lead to a 14-year sentence. Despite initially denying their involvement, all three men have now pleaded guilty. They are scheduled to be sentenced at Snaresbrook Crown Court.
NCA Operations Manager Anna Smith emphasized the gravity of the trio’s actions: “Picari, Vijayanathan, and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public. Their convictions serve as a stern warning to anyone else considering offering similar services; the NCA is fully equipped to disrupt and dismantle websites that threaten people’s financial security.”
The financial impact of the OTP Agency’s operations is substantial. Estimates suggest that if all members had opted for the elite subscription package, the total earnings could have approached £7.9 million ($10 million). This figure highlights the potential scale of damage caused by such 2FA bypass schemes.