September 2, 2024

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.

Launched in November 2019, OTP Agency was a service for intercepting one-time passcodes needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.

The call would prompt the target to enter a one-time passcode that was sent to the user via SMS when the thieves attempted to log in. Any codes shared by the target were then relayed to the scammer’s user panel at the OTP Agency website.

A statement published Aug. 30 by the U.K.’s National Crime Agency (NCA) said three men pleaded guilty to running OTP Agency: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.

KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.

Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:

Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat

Vijayanathan: Are you sure

Picari: So much evidence in there

Vijayanathan: Are you 100% sure

Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find

Vijayanathan: Exactly so if we just shut EVERYTHING down

Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%

Vijayanathan : Everyone with a brain will tell you stop it here and move on

Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f*^k their investigations…There’s nothing fraudulent on the site

Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.

OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.

But that revival would be short-lived. The NCA said the site was taken offline less than a month later when the trio were arrested. NCA investigators said more than 12,500 people were targeted by OTP Agency users during the 18 months the service was active.

Picari was the owner, developer and main beneficiary of the service, and his personal information and ownership of OTP Agency was revealed in February 2020 in a “dox” posted to the now-defunct English-language cybercrime forum Raidforums. The NCA said it began investigating the service in June 2020.

The OTP Agency operators who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, and Vijayasidhurshan Vijayanathan.

OTP Agency might be gone, but several other similar OTP interception services are still in operation and accepting new customers, including a long-running service KrebsOnSecurity profiled in September 2021 called SMSRanger. More on SMSRanger in an upcoming post.

Text messages, emails and phone calls warning recipients about potential fraud are some of the most common scam lures. If someone (or something) calls saying they’re from your bank, or asks you to provide any personal or financial information, do not respond.  Just hang up, full stop.

If the call has you worried about the security and integrity of your account, check the account status online, or call your financial institution — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.

Further reading: When in Doubt, Hang Up, Look Up, and Call Back


14 thoughts on “Owners of 1-Time Passcode Theft Service Plead Guilty

  1. Jonny

    Thanks Brian. Guess it’s time 1-time sms passcodes be replaced with 2FA apps, of course if a phone is stolen that won’t help much

    1. Max.

      Won’t we face the same issue? The automated call could ask for passcodes from a 2FA app instead of an SMS code, right? 2FA app passcodes expire more quickly than SMS passcodes, don’t they?

  2. Gannon

    Apple Weather is “pulling the same scam” so to speak with sunrise and sunset. Can you hear me now ? … Verizon warned you with that commercial.

    This was supposed to be Silicon Valley’s ‘Summer of Productivity’ and I for one am glad it’s over. That meme was debunked in the first scene of Gone With The Wind. What Middle America really needed this summer was Air Conditioning.

    Happy Labor Day

  3. Quid

    Odd that those supposedly end to end encrypted Telegram messages were revealable. Did they not delete them as they said they would or were they being intercepted all along by the UK NCA, perhaps with assistance from GCHQ & NSA?

    If the latter, then is the arrest of the Telegram founder Pavel Durov all a farce/charade?
    Perhaps the French have been left out and can’t break into Telegram or it’s all part of the game?
    Hopefully at least the UK & US can read the Russian’s Telegram messages. Lots of good info there.

    1. BrianKrebs Post author

      Whoever told you Telegram messages were encrypted was incorrect. By default, they are not. And certainly not large channels where dozens of people are talking at once.

  4. RWKOS

    Until passkeys are widely deployed, I wish more sites would move to TOTP 2FA and leave SMS behind.

  5. Catwhisperer

    Wow, and to think of the talent in these three young minds to integrate all the pieces and keep it going. Hopefully they change their lives around after a few years of focused meditation on concrete blocks…

  6. Incalculable

    Hey Brian,

    What are your thoughts on AI being used to thwart situations like this? I worry that in the currently increasing pseudo- (because do people really understand things now?) technological society, that seems both overly sociable and paradoxically paranoid, the increasing zeal to automate will not really lead to a more secure society but rather a draconian freakish Orwellian nightmare. Some would argue we are already 95% there.

    I, for one, would not be passing around the popcorn when people get caught (tempting as I am sure, to many, that would be) so much as focusing on what can be done to make sure that society doesn’t, practically overnight, become a place where you cannot do the necessary functions in life if some rando crazy person or mugger steals your phone/laptop.

    It seems worst in the US.

  7. barely ablemann

    thank you, Brian. It is always great to read your posts. I appreciate the info that you provide.
    On my phone, I get a few 3 digit texts from my telco, and generally 5 digit texts from other creditors. And I have asked my bank for a way to verify any fraud alert texts they may send. Once I had a credit card hacked with one charge in California and one charge in Moscow Russia, but luckily the bank flagged and denied them. In the case of my bank, going to their website was quite frustrating because there was some general info on fraud, but no real specific info on what to do about a text alert or a way to verify it. I ended up calling in to the bank and speaking with the IT guy who said their alert system was new, but he did speak with me for awhile, and I told him there should be clear info prominently displayed without having to do a lot of searching. In the flurry of info that can come on your phone as they become the critical link to everything else in your life, I would think there would be a better way.

Comments are closed.