A major counterattack against OTP Bots was initiated yesterday by police who shut down one of the biggest players in the industry.

OTP Bots, designed to automate the theft of one-time passcodes from unsuspecting bank customers, emerged about 18 months ago.

The bots were immediately popular because they enabled scammers to spoof bank phone numbers, robocall thousands of customers simultaneously and play realistic scripts that lead the customers to believe they were dealing directly with the bank.

Here is an OTP Bot in action if you want to see how it works.

This week, one of the largest OTP Bot sites in the world –Ispoof.me – was shuttered by law enforcement officials in the UK and over 100 people associated with the service were arrested.

It is being called the biggest investigation in UK history.

Over 200,000 Victims Were Targeted

This website posed as a “one-stop spoofing shop” for criminals, who used it to make fake bank phone calls and steal tens of millions of pounds from innocent Britons. In total, it is estimated that over 200,000 potential victims were targeted.

Customers of iSpoof would typically pay for the services with Bitcoin and get access to portal that would allow them to contact thousands of customers and view the stolen information on a webpage.

The site was such a lucrative place for scammers that almost 20 people were contacting every minute of the day, and it is estimated they made close to £50 million in profits.

iSpoof, which launched in August of 2020, was immediately popular with scammers. In its first year alone, scammers used the service to make over 10 million fraudulent calls globally and targeted 200,000 victims.

You can check out their video advertisement which they used to lure scammers on Telegram here.

Users Thought They Could Commit Their Crimes Anonymously

Scammers that signed on with iSpoof used Bitcoin thought they would never get caught. But that was not true.

More than 100 people were arrested as part of the sting investigation which was called “Operation Elaborate.” These arrests include the person suspected of being behind the website – a guy from East London, Teejai Fletcher.

Police began investigating the iSpoof website back in June of 2021. They infiltrated the website and got into their servers.

After they hacked into the servers, they discovered 59,000 different users and found over 70 million rows of data and bitcoin records, allowing them to trace the suspects.

The pool of users was so large that their investigation focused only on users within the UK who had spent more than 100 Bitcoin to use the site.

The 100 arrested were “whale scammers” only. As the investigation continues, more suspects could be arrested.

The Site Was Blocked Yesterday, And Police Are Contacting the Victims

If you get a text from the Metropolitan Police in the next few days, you know you were probably a victim of the iSpoof website scammers.

Police have a list of phone numbers targeted by iSpoof fraudsters and will contact potential victims via text on today and tomorrow.

The text message will ask victims to visit the Met’s website to provide more details about their experience.

A Site For Spoofers By Spoofers

A message on iSpoofs Telegram channel posted this morning was yet another message that OTP Bots constitute illegal activity.

The site promoted itself as a harmless “Spoof” service created by spoofers for spoofers. But it was anything but harmless.

This is a very interesting counter-attack against OTP Bot services and I have no doubt there will be more arrest and actions in the coming months.