Admins of MFA bypass service plead guilty to fraud
Three men have pleaded guilty to running OTP.Agency, an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K.
The codes - temporary passwords also known as OTPs, were part of multi-factor authentication protections and criminals subscribing to the illegal service could use them to access a victim's bank account and empty it.
Authorities estimate that Callum Picari (22), Vijayasidhurshan Vijayanathan (21), and Aza Siddeeque (19) targeted more than 12,500 people between September 2019 and March 2021, when UK's National Crime Agency (NCA) shit down the OTP.Agency website.
Picari was the owner and main developer of the platform, while Siddequee was responsible for promoting the site and providing technical support to criminals who purchased subscriptions to the service.
OTP.Agency promised to help deliver OTPs for over 30 online services, including Apple Pay, for weekly subscriptions that ranged between £30, for the basic plan and £380 for the elite one.
A criminal who already had a victim's login credentials to a service would also need the OTP, which OTP.Agency obtained by making automated, scripted calls to the victim using text-to-speech technology and asking for the temporary password.
"Criminals disguised the ID so it appeared as a real call from the victim's bank," the NCA explains in a video.
Three men have admitted running a website enabling criminals to circumvent banking anti-fraud checks. An NCA investigation showed that https://t.co/Gedby7jyq5 was run by Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque. Full story ➡️ https://t.co/zdK8Z0pqzr pic.twitter.com/wbu5eTLpTW
— National Crime Agency (NCA) (@NCA_UK) August 31, 2024
The basic package enabled bypassing multi-factor authentication for bank accounts at HSBC, Monzo, and Lloyds, while the top-tier unlocked access to Visa and Mastercard verification sites.
The three individuals also ran a Telegram group where they communicated to more than 2,200 members.
Based on the information gathered during the investigation, the NCA believes that the three actors could have made up to £7.9 million.
The trio faces charges of conspiracy to commit fraud and conspiracy to make and supply articles for use in fraud. OTP.Agency’s owner, Picari, is also charged with money laundering.
Per UK law, the first two charges can carry a maximum prison sentence of up to 10 years, while money laundering is punishable by up to 14 years.
The exact sentences will be determined by the Snaresbrook Crown Court during a hearing scheduled for November 2.
Linux version of new Cicada ransomware targets VMware ESXi servers
Transport for London discloses ongoing “cyber security incident”
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-1286 Improper Validation of Syntactic Correctness of Input
MediumCWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface
CWE-1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
Free online web security scanner
