The men tricked victims into revealing OTPs—codes intended to enhance account security through multifactor authentication (MFA)

Three people have been sentenced at Snaresbrook Crown Court for operating an underground cybercrime service that facilitated online fraud and financial theft. The illicit scheme, known as OTP.Agency, enabled criminals to bypass security measures and take over victims’ accounts using stolen one-time passcodes (OTPs).

Cybercriminals manipulated MFA to bypass security

Callum Picari, 23, from Essex; Vijayasidehurshan Vijayanathan, 21, from Buckinghamshire; and Aza Siddeeque, 19, also from Buckinghamshire, orchestrated sophisticated social engineering attacks. They tricked victims into revealing OTPs—codes intended to enhance account security through multifactor authentication (MFA).

OTP.Agency operated on a subscription basis, offering fraudulent services for as little as £30 per week, while its premium £380 per month plan provided advanced tools such as AI-powered spoof calls and automated text-to-speech impersonation. Investigators recovered scripts mimicking reputable entities like HMRC, Mastercard, Visa, and major telecom providers.

Sentencing and law enforcement crackdown

The National Crime Agency (NCA) began investigating the cybercriminals in 2020 and found that over 12,500 individuals had been targeted in an 18-month period between September 2019 and March 2021. Financial estimates suggest the illicit service may have generated millions of pounds.

Picari, the scheme’s primary operator, received a two-year-and-eight-month prison sentence. Vijayanathan and Siddeeque were given 12-month community orders, 160 to 200 hours of community service, and fines of £760 each. The NCA has also launched asset recovery proceedings against Picari to seize illegally acquired funds.

Public urged to stay vigilant against cyber threats

Authorities warn individuals to remain cautious of unsolicited messages or phone calls requesting personal details. Cybercriminals frequently pose as legitimate organizations to extract sensitive data. The NCA advises the public to verify suspicious communications by contacting companies directly using official channels.

Cybersecurity experts emphasize that this case demonstrates the importance of robust security measures and industry collaboration in combating online fraud. Law enforcement agencies continue to work closely with industry partners to dismantle criminal operations and enhance public awareness of emerging threats.