'Bro delete the chat': Feel the panic shortly before cops bust major online fraud ring

In announcing the sentencing of three Brits who ran OTP Agency, an account-takeover business, the National Crime Agency (NCA) revealed how a 2021 report sent the fraudsters into a panicked frenzy.

"Bro we are in big trouble," said Callum Picari, 23, from Hornchurch, in East London, after infosec reporter Brian Krebs mentioned OTP Agency in a February 2021 investigation related to a separate phishing kit operation.

"U will get me bagged [sic]," Picari went on to say. "Bro delete the chat."

Other highlights from Picari's meltdown include:

• "It's so incriminating"

• "Take a look and search 'fraud'... just think of all the evidence"

• "They went to our first ever msg [sic]" 

• "We look incriminating"

• "I say delete the chat"

• "Our chat is Fraud 100%"

The Register understands that the chat logs were swiped from Picari's phone when he was arrested just a few months after the messages were sent.

OTP Agency was created and operated by Picari and two pals: Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire, and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.

All three were arrested in March 2021, shortly after the panicked messages were exchanged, and have since pleaded guilty to their various roles in the operation.

As the name suggests, OTP Agency was a service the three Brits offered that afforded paying subscribers access to one-time passcodes (OTPs) and other personal information the trio socially engineered from unwitting victims.

OTP Agency offered a basic tier costing members just £30 ($37.30) per week, granting access to a phone bot designed to trick victims into handing over OTPs for various online accounts.

UK law enforcement said the Telegram group where OTP Agency advertised its wares had over 2,200 members by the time it was shut down in February 2021, a month before the trio were arrested. Kreb's report did not lead to the arrests; the NCA had already been investigating OTP Agency from June 2020.

The agency said even the basic tooling the trio developed was successful and allowed fraudsters to bypass account authentication methods for telecoms accounts and online banking platforms to the extent that fraudulent transactions could be executed.

OTP Agency's elite plan was considerably more expensive, costing subscribers £380 ($472.53) per month. This tier allowed customers to create their own automated call messages and gave them access to scripts written by the trio that were designed to target banking and telco platforms. 

Investigators recovered scripts generated to target customers of BT, Sky, Virgin Media, HM Revenue & Customs, Mastercard, and Visa.

The service was used by criminals who already had banking data bought from the dark web, including usernames and passwords. However, OTP Agency helped criminals vault the final multi-factor authentication step.

The victim is sent an OTP via text message after the account access attempt is made. From there, the criminals logged into the OTP Agency website, typed in the victim's phone number, selected how they wanted their caller ID to appear, and crafted the automated message to be read to the customer. 

• AI chatbot startup founder, lawyer wife accused of ripping off investors in $60M fraud
• North Korean dev who renamed himself 'Bane' accused of IT worker fraud caper
• Four plead guilty in US government tech procurement fraud case
• Pastor's divine 'dream' crypto scheme indicted by Uncle Sam

In successful cases, the victim would then type the OTP into their keypad, allowing the criminals access. With access to the valid OTP, the fraudsters could log into their account and begin making transactions.

The NCA believes around 3,000 people registered with OTP Agency between September 2019 and March 2021, and more than 65,000 automated calls targeted more than 12,500 members of the public.

However, investigators still don't know how much money OTP Agency made during its time in business. Estimates range between £90,000 ($111,784) if all 3,000 subscribers paid for the lowest tier, all the way up to £7.9 million ($9.8 million) if they all opted for the elite package.

Roles and sentencing

Picari was the owner, developer, and main beneficiary of OTP Agency. In one message posted to the business's Telegram channel in 2019, Picari promised that subscribers would profit within minutes of signing up.

Siddeeque provided customer and technical support for OTP Agency and promoted it in return for free, unfettered access to its services, which he used for his own fraudulent schemes.

Vijayanathan also promoted the site and had moderation duties across the website and Telegram channels.

All three were charged with conspiracy to make and supply articles for use in fraud in January 2023. All ended up pleading guilty to these charges, although Siddeeque held off doing so until August 2024.

Additionally, Picari was also charged with money laundering under section 327 of the Proceeds of Crime Act 2002 (converting criminal property). He was sentenced to two years and eight months in prison at Snaresbrook Crown Court on January 27.

Vijayanathan and Siddeeque both escaped prison time and were instead handed 12-month community orders, which will see them carry out 200 and 160 hours of community service respectively. Both will also have to pay £760 ($943.67) in costs.

"As this case shows, the NCA has the ability to disrupt and dismantle websites like OTP Agency, which cause harm to the public, and bring those responsible to justice," said Tim Court, senior manager at the NCA's National Cyber Crime Unit.

"We would urge anyone using online banking services to be vigilant. Criminals can pretend to be a trusted person or company when they call, email, or message you. If something seems suspicious or unexpected, such as requests for personal information, contact the organization directly to check using details published on their official website." ®