Three UK men convicted of running website behind fraud calls during COVID-19 lockdown

Three men in the United Kingdom have pleaded guilty to running a website that helped fraudsters evade banking security checks during the COVID-19 lockdown, allowing criminals to target more than 12,500 members of the public.

The ringleader, Callum Picari, 22, from Hornchurch, Essex, had set up the www.otp.agency site back in September 2019 alongside Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.

The men were arrested and the site was seized by National Crime Agency (NCA) officers in March 2021. It had offered criminals a monthly subscription to a service that helped them socially engineer bank account holders into disclosing one-time passcodes by calling the target’s phone with a convincing automated bot.

A basic subscription, costing £30 a week, allowed fraudsters to bypass multi-factor authentication on banking platforms including HSBC, Monco and Lloyds, while a so-called “elite plan” cost users £380 a week and “granted access to Visa and Mastercard verification sites,” said the NCA.

Following publication, the agency clarified that the access to Visa and Mastercard sites did not mean the men had compromised those sites, but were enabling customers to defraud victims using those verification systems alongside those of other banking and finance companies.

The agency said it did not know how much money the men had made through the criminal enterprise, and that the investigation had begun in June 2020.

According to the NCA, Picari was the “owner, developer and main beneficiary” of the site and had been advertising it on a Telegram group with over 2,200 members.

However, the Telegram group was deleted following an article by independent journalist Brian Krebs that the NCA said “prompted a panicked message exchange between Picari and Vijayanathan” before sharing this exchange:

Picari: “bro we are in big trouble”… “U will get me bagged”… Bro delete the chat”
Vijayanathan: “Are you sure”
Picari: “So much evidence in there”
Vijayanathan: “Are you 100% sure”
Picari: “It’s so incriminating”...“Take a look and search “fraud”..."Just think of all the evidence”...“that we cba to find”...“in the OTP chat”...“they will find”
Vijayanathan: “Exactly so if we just shut EVERYTHING down”
Picari: “They went to our first ever msg” ...We look incriminating”...“if we shut down”...“I say delete the chat”...“Our chat is Fraud 100%”
Vijayanathan: “Everyone with a brain will tell you stop it here and move on”
Picari: “Just because we close it doesn’t mean we didn’t do it"...“But deleting our chat”..."Will f*^k their investigations”...“There’s nothing fraudulent on the site”

All three initially attempted to deny being knowingly involved in criminality, but subsequently admitted to the charge of conspiracy to make and supply articles for use in fraud. Picari was also charged with money laundering.

They will be sentenced at Snaresbrook Crown Court on 2 November 2024.

Anna Smith, operations manager from the NCA’s National Cyber Crime Unit, said: “Picari, Vijayanathan and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public.

“The trio profited from these serious crimes by running www.otp.agency and their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people’s livelihoods.

“We would also urge anyone using online banking services to be vigilant. Criminals may pretend to be a trusted person or company when they call, email or message you,” said Smith.

“If something seems suspicious or unexpected, such as requests for personal information, contact the organisation directly to check using details published on their official website.”

Editor's Note: Story updated September 6 with additional comments from NCA.