A cyber criminal group behind an MFA bypass operation promised hackers “profit within minutes” – they’re now facing lengthy jail sentences

Three men have pleaded guilty in a UK court after operating a website assisting cyber criminals to bypass multi-factor authentication.

The group, composed of Vijayasidhurshan Vijayanathan, Callum Picari, and Aza Siddeeque, ran the OTP[.]Agency site between September 2019 and March 2021, when the page was shut down.

During this period, the NCA suggested the trio could have made as much as £7.9 million from the operation. The subscription service gave hackers access to technology that would intercept one-time passwords (OTPs) used in a number of major banks’ multi-factor authentication mechanisms.

The group’s basic subscription package charged £30 a week giving them access to platforms including HSBC, Monzo, and Lloyds, enabling them to complete fraudulent transactions and drain victim’s accounts.

For a weekly fee of £380 this access was extended to the Visa and Mastercard verification sites.

The group promoted their services in a Telegram group with over 2,2000 members, promising customers they could make “profit within minutes”.

“Ever wanted to grab a one time passcode for any website? Well now you can! With OTPAgency you can grab an otp for vbv, 30+ sites and also Apple Pay.. it’s only £30 a week you really don’t wanna miss out,” read one message from Picari in the group.

Investigators from the NCA began probing the page in June 2020 and estimated that over 12,500 members of the public were targeted during the period in which the operation was active between 2019 and 2021.

MFA bypass group “opened the door for fraudsters”

All three members were charged with conspiracy to make and supply articles for use in fraud - charges that carry a maximum sentence of 10 years.

Picari, who the NCA claimed was the ringleader and main beneficiary of the operation, was also charged with money laundering with a maximum sentence of 14 years.

Shortly after details of the group’s fraud-enabling activities were published by Krebs on Security in February 2021, messages exchanged between Picari and Vijayanathan revealed their attempts to cover their tracks.

“[B]ro we are in big trouble … U will get me bagged … Bro delete the chat,” Picari warned. “It’s so incriminating … Take a look and search ‘fraud’ … Just think of all the evidence … that we cba to find … in the OTP chat … they will find [it]”.

The next evolution of endpoint management for Apple devices

Anna Smith, operations manager at the NCA’s Cyber Crime Unit said the group laid the foundations for other hackers to steal large sums and that their conviction should serve as a warning to others looking to do the same.

“The trio profited from these serious crimes by running www.OTP.Agency and their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people’s livelihoods.”

All three initially denied knowingly being involved in a criminal operation but have all since admitted to the charges, with sentences to be handed down at Snaresbrook Crown Court on 2 November 2024.