Three men have pleaded guilty to running a website that enabled criminals to circumvent banking anti-fraud checks, following an extensive investigation by the National Crime Agency (NCA).

The website, OTP[.]Agency, was operated by Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire. The trio were found to have facilitated criminal activities by allowing users to bypass multi-factor authentication (MFA) on major banking platforms, including HSBC, Monzo, and Lloyds.

The Otp[.]agency service was a web-based bot designed to trick users into providing their OTP tokens. Customers of OTP Agency would input the target's phone number and name, after which the service would place an automated phone call to the target, warning them of suspicious activity on their account. The call would then prompt the target to enter an OTP token generated by their mobile app “for authentication purposes.” Once entered, the code would be sent back to the malicious user's dashboard on the OTP Agency website.

The UK’s NCA investigation revealed that criminals could subscribe to various service tiers on the website. A basic package, costing £30 (~$40) per week, enabled users to bypass MFA security measures, making it easier to carry out fraudulent transactions. Meanwhile, an elite plan, priced at £380 (~499) per week, granted access to verification sites for Visa and Mastercard.

The website's services allowed criminals to gain unauthorized access to personal bank accounts by socially engineering victims into disclosing one-time passcodes or other sensitive information. This led to significant financial losses for over 12,500 individuals, who were targeted between September 2019 and March 2021, before the site was shut down following the operators' arrests.

Although the exact earnings of the group remain unclear, estimates suggest that the operation could have generated up to £7.9 million (~10.3M) if users purchased the elite plan.

Siddeeque played a key role in promoting the website and providing technical support to customers, while Picari was the website's owner, developer, and primary beneficiary. He also advertised the service in a Telegram group with over 2,200 members.

The men were charged with conspiracy to make and supply articles for use in fraud, with Picari facing an additional charge of money laundering. Initially, all three defendants denied knowingly engaging in criminal activity, but each has since admitted to the charges, with Siddeeque being the last to plead guilty this week.

The trio is scheduled to be sentenced on November 2, 2024.