Three operators of a service that provided criminals with one-time passcodes and other ways to bypass fraudulent bank checks plead guilty

https://www.bleepingcomputer.com/news/legal/admins-of-mfa-bypass-service-pread-guilty-to-fraud/

According to the UK National Crime Agency, the service in question, OTP.Agency, was run by three suspects: Karam Pikali (22), Vijayasidrshan Vijayanathan (21) and Aza Siddiq (19).

This service uses social engineering to trick bank account holders into giving up real, one-time access codes or other personally identifiable information. This information can then be sold to criminals.

The basic subscription, which cost £30 (US$50) per week, allowed users to make fraudulent online transactions by bypassing multi-factor authentication on major banking platforms such as HSBC, Monzo and Lloyds. The elite subscription, which cost £380 (US$750) per week, also offered access to Visa and Mastercard.

According to cyber researchers at the UK’s National Crime Agency, more than 12,500 people were targeted in the attack in the 18 months leading up to March 2021. The three were arrested and the site was shut down.

It is not known how much profit the group made, but it is estimated that it was around £30,000 (about 5.76 million yen) if it was mainly from the basic plan, and around £7.9 million (about 1.517 billion yen) if it was mainly from the elite plan.

Although OTP.Agency is closed, similar services are still active. Therefore, security information site Krebs on Security warns users to be careful.

Owners of One-Time Access Code Theft Service Plead Guilty – Krebs on Security
https://krebsonsecurity.com/2024/09/owners-of-1-time-passcode-theft-service-pread-guilty/