Three UK nationals have pleaded guilty to operating otp[.]agency, a notorious online service that intercepted one-time passcodes (OTPs) to facilitate online account takeovers. Launched in November 2019, the service allowed scammers with stolen bank credentials to generate automated calls to victims, tricking them into sharing OTPs sent via SMS. These intercepted codes were then relayed to scammers, enabling unauthorized access to victims’ accounts.
Short Narrative
The UK National Crime Agency (NCA) identified and arrested the operators: Callum Picari, 22, from Essex; Vijayasidhurshan Vijayanathan, 21, from Buckinghamshire; and Aza Siddeeque, 19, also from Buckinghamshire. Despite initial shutdown efforts following exposure by a 2021 KrebsOnSecurity report, the service briefly continued operations before a final shutdown and the trio’s arrest in March 2021. During its operation, the service targeted over 12,500 victims.
Key Points
- Accused: Callum Picari; Vijayasidhurshan Vijayanathan; Aza Siddeeque.
- Service Operations: otp[.]agency launched in 2019 to intercept OTPs for online account takeovers. Scammers input a victim’s phone number, triggering fake security calls to extract OTPs.
- Operators Arrested: The service was run by Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque, all of whom have pleaded guilty to their roles in the operation.
- Exposure and Shutdown: After being exposed in 2021, otp[.]agency briefly attempted to continue its operations but ultimately shut down following the arrests.
- Widespread Impact: The service targeted over 12,500 individuals during its 18-month activity span.
Actionable Insight
The case underscores the growing threat posed by cybercriminals exploiting OTP interception services to compromise online accounts. Authorities and cybersecurity experts emphasize the importance of vigilance against phishing schemes, particularly those involving fake alerts from financial institutions. Users should never provide personal information or OTPs to unsolicited callers and are advised to verify their account status directly through official channels if they receive suspicious communications. This incident also highlights the persistent risk of other similar services that remain operational, like SMSRanger, continuing to target unsuspecting victims.
