UK trio pleads guilty to running $10M MFA bypass biz

Updated A trio of men have pleaded guilty to running a multifactor authentication (MFA) bypass ring in the UK, which authorities estimate has raked in millions in less than two years. 

Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque have each admitted to responsibility for running OTP.agency, an underground operation that provided cybercriminals with access to tools to help them socially engineer targets, bypass MFA, and ultimately steal money from victims' bank accounts, according to the UK's National Crime Agency (NCA). 

For as little as £30 ($39) a week, the crew offered MFA bypass tools for banks like HSBC, Monzo and Lloyds, while an elite-level plan for £380 ($498) per week also "granted access to Visa and Mastercard verification sites," NCA noted. That said, the agency stressed in a note to The Register that in "no way were Mastercard or Visa’s systems compromised as a result of this criminality."

It's estimated that more than 12,500 victims were targeted using OTP.agency's tools.

It's not revealed how much the trio may have banked between September 2019 and March 2021, when they were arrested and the site was taken offline, but the NCA estimates it could be up to £7.9 million ($10.3 million).

OTP.agency began advertising its services in late 2019 in a Telegram group where the trio described themselves as the "first and last professional service for your OTP [one-time password] stealing needs," the NCA said. "We promise you will be making profit within minutes of purchasing our service." 

• LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware
• UK and US cops band together to tackle Qilin's ransomware shakedowns
• Snowflake customers not using MFA are not unique – over 165 of them have been compromised
• Cops turn LockBit ransomware gang's countdown timers against them

The group also claimed they could grab a one-time password "for any website," including Apple Pay and "30+ sites." Details of the technology underpinning the group's operation weren't shared, and we're not told if the trio manufactured their own malware or simply cobbled together other as-a-service products to build their own derivative product. 

According to UK law enforcement, the Telegram group had more than 2,200 members by the time it was shut down shortly after cybersecurity journalist Brian Krebs reported on the existence of the group in February 2021, a month before the trio were arrested. However, that report did not lead to the arrests. The NCA had been investigating the OTP.agency since June 2020. 

Picari, Vijayanathan, and Siddeeque pleaded guilty to charges of conspiracy to make and supply articles for use in fraud. Picari, flagged as the ringleader, developer and main beneficiary of the operation, was also charged with money laundering. Each faces up to 10 years in prison for the conspiracy charge, while Picari is also facing a maximum sentence of 14 years for money laundering.

"Picari, Vijayanathan and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public," NCA national cyber crime unit operations manager Anna Smith said. "Their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people's livelihoods." ®

Editor's note: This article was updated on September 5 to include the NCA's observation that no Mastercard or Visa systems were compromised by the OTP gang.