Three men have pleaded guilty to running OTP.Agency, an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K.

The codes – temporary passwords also known as OTPs, were part of multi-factor authentication protections and criminals subscribing to the illegal service could use them to access a victim’s bank account and empty it.

Authorities estimate that Callum Picari (22), Vijayasidhurshan Vijayanathan (21), and Aza Siddeeque (19) targeted more than 12,500 people between September 2019 and March 2021, when UK’s National Crime Agency (NCA) shit down the OTP.Agency website.

Picari was the owner and main developer of the platform, while Siddequee was responsible for promoting the site and providing technical support to criminals who purchased subscriptions to the service.

OTP.Agency promised to help deliver OTPs for over 30 online services, including Apple Pay, for weekly subscriptions that ranged between £30, for the basic plan and £380 for the elite one.

A criminal who already had a victim’s login credentials to a service would also need the OTP, which OTP.Agency obtained by making automated, scripted calls to the victim using text-to-speech technology and asking for the temporary password.

“Criminals disguised the ID so it appeared as a real call from the victim’s bank,” the NCA explains in a video.

Three men have admitted running a website enabling criminals to circumvent banking anti-fraud checks.

An NCA investigation showed that https://t.co/Gedby7jyq5 was run by Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque.

Full story ➡️ https://t.co/zdK8Z0pqzr pic.twitter.com/wbu5eTLpTW

— National Crime Agency (NCA) (@NCA_UK) August 31, 2024

The basic package enabled bypassing multi-factor authentication for bank accounts at HSBC, Monzo, and Lloyds, while the top-tier unlocked access to Visa and Mastercard verification sites.

The three individuals also ran a Telegram group where they communicated to more than 2,200 members.

Based on the information gathered during the investigation, the NCA believes that the three actors could have made up to £7.9 million.

The trio faces charges of conspiracy to commit fraud and conspiracy to make and supply articles for use in fraud. OTP.Agency’s owner, Picari, is also charged with money laundering.

Per UK law, the first two charges can carry a maximum prison sentence of up to 10 years, while money laundering is punishable by up to 14 years.

The exact sentences will be determined by the Snaresbrook Crown Court during a hearing scheduled for November 2.