Three Admins of OTP Interception Service “OTP Agency” Plead Guilty
Read also: A former cop gets 20 months in prison for selling victims’ personal data, a BEC scammer sentenced, and more.
Thursday, September 5, 2024
Admins of bank fraud subscription service plead guilty
Three men have pleaded guilty to operating a website that enabled criminals to bypass banking anti-fraud checks, following an investigation by the UK’s National Crime Agency (NCA).
The service, OTP[.]Agency, was run by Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque. The trio facilitated criminal activities by allowing users to bypass multi-factor authentication (MFA) on major banking platforms, including HSBC, Monzo, and Lloyds. The OTP[.]Agency service was a web-based bot designed to trick users into providing their OTP (One-Time Passcode) tokens.
Siddeeque played a key role in promoting the website and providing technical support to customers, while Picari was the website's owner, developer, and primary beneficiary. He also advertised the service in a Telegram group with over 2,200 members.
The men were charged with conspiracy to make and supply articles for use in fraud, with Picari facing an additional charge of money laundering.
The trio is scheduled to be sentenced on November 2, 2024.
A former cop gets 20 months in prison for selling personal data of traffic crash victims
Vincent Forrest, a former patrol officer with the Metropolitan Police Department (MPD), Washington, D.C., was sentenced to 20 months in federal prison for his involvement in a scheme that illegally sold the personal information of traffic crash victims. In addition to the prison term, Forrest was ordered to serve three years of supervised release and to forfeit $15,000 of illegal profits.
According to court documents, Forrest used his access to MPD’s sensitive law enforcement database to review and record the non-public contact information of victims involved in traffic accidents.
Forrest then sent this information to Raquel DePaula, a so-called “runner,” who provided the victim information to local attorneys in exchange for referral fees. The attorneys, in turn, contacted the accident victims just days after their incidents, in direct violation of D.C. law.
The case against Forrest was part of a larger investigation into the illegal sale of traffic crash reports by MPD officers. Forrest and Raquel DePaula are the sixth and seventh individuals convicted in connection with the scheme. Previous convictions include MPD Officers Walter Lee and Kendra Coles, MPD employee Aaron Willis, business owner Marvin Parker, and law firm employee Michelle Cage, all of whom pleaded guilty to related charges.
Cybersecurity Compliance
Prevent data breaches and meet regulatory requirements
A Nigerian national sentenced to over 5 years in prison for role in $5M BEC scheme
A Nigerian national, Franklin Ifeanyichukwu Okwonna, 34, was sentenced to five years and three months in US prison for his involvement in a computer hacking and business email compromise (BEC) scheme that resulted in over $5 million in losses to businesses in the United States and elsewhere. Okwonna, who pleaded guilty on May 20, 2024, was also ordered to pay nearly $5 million in restitution to the victims of the scheme.
Okwonna's sentencing comes just weeks after his co-defendant, Ebuka Raphael Umeti, 35, also a Nigerian national, received a ten-year prison sentence on August 27, 2024. He was also ordered to pay nearly $5 million in restitution.
According to court documents, from February 2016 to July 2021, Umeti, Okwonna, and other co-conspirators orchestrated a series of phishing attacks targeting businesses aimed at infecting victims’ computer systems with malware. Using the malware, the perpetrators gained access to sensitive data which they then used to trick victims within the targeted companies into executing wire transfers to accounts controlled by the conspirators.
In a separate case, another Nigerian scammer, Olusegun Samson Adejorin, was extradited from Ghana to the United States to face federal charges for his involvement in a $7.5 million fraud scheme targeting two charities. Adejorin allegedly stole employee credentials, posed as those employees to send fraudulent emails requesting fund withdrawals, and used a credential harvesting tool and spoofed domains to facilitate the scheme. If convicted, he faces up to 20 years in prison for each wire fraud count, additional penalties for identity theft, and other related charges.
Two fraudsters sentenced for ATM Shimming scam in Australia
Two Romanian nationals have been sentenced in an Australian court for their involvement in an ATM shimming scam that defrauded victims of $36,000.
The scammers installed ATM shimmers into ATM card slots to steal the financial data of victims. The devices captured the information stored on the magnetic stripe and chip of ATM cards, allowing the criminals to retrieve and use the data to withdraw funds or transfer money to various bank accounts.
The police launched an investigation in June 2023 after receiving tips from their counterparts in the US, which soon identified individuals in Australia receiving suspicious packages from the UK, China, and the US, all believed to contain ATM shimming devices. In August 2023, the AFP executed a search warrant at a residence in Rhodes, Sydney, as well as on a rented vehicle, seizing $12,935 in cash, multiple shimming devices, fake identity documents, and electronic devices.
The male offender, 34, received a sentence of four years and two months in prison, with a non-parole period of two years and six months. His accomplice, a 33-year-old woman, was sentenced to two years and six months, with a non-parole period of one year and six months. Both are expected to be deported upon their release from custody.
Four arrested in India over cybercrime case involving leaked police exam paper
The Uttar Pradesh Police arrested four individuals, including the mastermind of a cybercrime operation, for their involvement in leaking the question paper of the Uttar Pradesh Police Radio Operator Recruitment Exam. The incident took place on February 1, 2024, at the Karan Institute of Technology in Varanasi.
An investigation was launched after it was discovered that the computers used for the exam were breached. It was found that a cybercriminal syndicate had collaborated with candidates to remotely hack into computers during the examination, providing them with unauthorized access to the question paper. Candidates allegedly paid hefty sums to these hackers for the illegal advantage.
According to the police investigation, the hackers employed a variety of tactics to gain control over the examination systems. Before the exam, they disabled the bootable mode on the computers and installed remote access software, such as AnyDesk, which allowed them to take remote control of the machines. On the day of the exam, the cybercriminals used the specific IP address of the examination center to remotely access and solve the exam paper.
The police apprehended the mastermind behind the operation, along with three other men involved in the scheme. The police officers also seized three Android mobile phones and one iOS Apple device believed to have been used in coordinating the hacking activities.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law. 
