Summary: Three men in the UK pleaded guilty to operating a fraudulent website that enabled criminals to bypass banking security during the COVID-19 lockdown, impacting over 12,500 individuals. The site, www.otp.agency, facilitated social engineering attacks to obtain one-time passcodes from bank account holders.
Threat Actor: Callum Picari, Vijayasidhurshan Vijayanathan, Aza Siddeeque | otp.agency
Victim: Public | UK banking fraud victims
Key Point :
- The website offered a subscription service for fraudsters to socially engineer bank customers into revealing sensitive information.
- Investigations revealed the trio’s attempts to delete incriminating evidence following media exposure.
- They face sentencing for conspiracy to commit fraud and money laundering, with a court date set for November 2024.
- The NCA warns that similar services will be targeted and urges vigilance among online banking users.
Three men in the United Kingdom have pleaded guilty to running a website that helped fraudsters evade banking security checks during the COVID-19 lockdown, allowing criminals to target more than 12,500 members of the public.
The ringleader, Callum Picari, 22, from Hornchurch, Essex, had set up the www.otp.agency site back in September 2019 alongside Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.
The men were arrested and the site was seized by National Crime Agency (NCA) officers in March 2021. It had offered criminals a monthly subscription to a service that helped them socially engineer bank account holders into disclosing one-time passcodes by calling the targetâs phone with a convincing automated bot.
A basic subscription, costing ÂŁ30 a week, allowed fraudsters to bypass multi-factor authentication on banking platforms including HSBC, Monco and Lloyds, while a so-called âelite planâ cost users ÂŁ380 a week and âgranted access to Visa and Mastercard verification sites,â said the NCA.
The agency said it did not know how much money the men had made through the criminal enterprise, and that the investigation had begun in June 2020.
According to the NCA, Picari was the âowner, developer and main beneficiaryâ of the site and had been advertising it on a Telegram group with over 2,200 members.
However, the Telegram group was deleted following an article by independent journalist Brian Krebs that the NCA said âprompted a panicked message exchange between Picari and Vijayanathanâ before sharing this exchange:
Picari: âbro we are in big troubleâ⌠âU will get me baggedâ⌠Bro delete the chatâ
Vijayanathan: âAre you sureâ
Picari: âSo much evidence in thereâ
Vijayanathan: âAre you 100% sureâ
Picari: âItâs so incriminatingâ…âTake a look and search âfraudâ…”Just think of all the evidenceâ…âthat we cba to findâ…âin the OTP chatâ…âthey will findâ
Vijayanathan: âExactly so if we just shut EVERYTHING downâ
Picari: âThey went to our first ever msgâ …We look incriminatingâ…âif we shut downâ…âI say delete the chatâ…âOur chat is Fraud 100%â
Vijayanathan: âEveryone with a brain will tell you stop it here and move onâ
Picari: âJust because we close it doesnât mean we didnât do it”…âBut deleting our chatâ…”Will f*^k their investigationsâ…âThereâs nothing fraudulent on the siteâ
All three initially attempted to deny being knowingly involved in criminality, but subsequently admitted to the charge of conspiracy to make and supply articles for use in fraud. Picari was also charged with money laundering.
They will be sentenced at Snaresbrook Crown Court on 2 November 2024.
Anna Smith, operations manager from the NCAâs National Cyber Crime Unit, said: âPicari, Vijayanathan and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public.
âThe trio profited from these serious crimes by running www.otp.agency and their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to peopleâs livelihoods.
âWe would also urge anyone using online banking services to be vigilant. Criminals may pretend to be a trusted person or company when they call, email or message you,â said Smith.
âIf something seems suspicious or unexpected, such as requests for personal information, contact the organisation directly to check using details published on their official website.â
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/guilty-pleas-uk-fraud-call-service-covid19-lockdown