OTP Bots Are Running 24/7 on Your Customers’ Accounts
Table des matières
Two-factor authentication was supposed to be the definitive answer to credential theft, and for a period it was genuinely effective, adding a one-time password to the login process meant that even a perfectly stolen username and password combination was not sufficient for an attacker to complete an account takeover. That logic held for long enough that SMS-based two-factor authentication became the default security layer across banking, e-commerce and enterprise platforms worldwide. It does not hold anymore, because OTP bots industrialised the bypass, turning what was once a technically demanding and time-sensitive real-time interception attack into a commodity service that requires no coding ability, no specialist knowledge, and costs less than a takeaway meal.
This is not the same story as the general OTP bot explainer we published in January, which covered how the attacks work at a technical level. This piece is about the market behind the attack — who builds these tools, how they are sold and priced, what their operators earn from them, and specifically why the controls that most enterprise security teams have deployed are failing to stop them in 2026.
What an OTP bot actually does
An OTP bot is a piece of automated software — typically delivered as a subscription Telegram service with a command-line interface — that intercepts the one-time password a target receives on their phone and relays it to an attacker in real time, within the narrow seconds-long window during which the code remains valid and can be used to complete a login.
The attack chain is more straightforward than most people assume. The attacker already has the target’s username and password, typically obtained from a breached credential database, an infostealer infection that harvested saved browser credentials, or a phishing campaign that captured them directly. Using those credentials, they initiate a login on the legitimate platform, which triggers the platform to send an OTP to the target’s registered phone number as expected. Simultaneously — and this is the critical window — the bot contacts the target via an automated call or SMS message, impersonating the bank, the platform, or the customer support team with a spoofed phone number, creates a credible sense of urgency around a fabricated security incident such as suspicious login activity or an unauthorised transaction, and asks the target to enter or confirm the code they just received. The target, believing they are speaking with their bank’s fraud prevention team, complies. The bot captures the OTP and forwards it to the attacker, who uses it to complete the login in seconds before the code expires.
The entire sequence, from the moment the attacker initiates the login to the point at which they gain full account access, takes under 30 seconds in documented cases where the social engineering script was well-crafted and the target did not hesitate. According to Cisco Talos, nearly 50% of all incident response engagements in 2024 involved attackers attempting to bypass MFA in some form, and OTP bots have become the primary mechanism through which that bypass is achieved at scale against consumer and enterprise accounts alike.
The market behind the attack
What makes OTP bots a defining threat in 2026 is not the technical sophistication of the attack — it is the business model behind it, which is indistinguishable from a legitimate SaaS operation in almost every structural respect. These are commercial services with pricing tiers, customer support channels, refund policies for failed attempts, update logs announcing new platform targets, and Telegram channels where users submit feature requests and share feedback on which scripts perform best against which banks. SMSRanger, one of the most widely documented examples, operates as a Telegram bot that any non-technical user can navigate in under five minutes — the attacker selects a target platform, enters a phone number, and the bot handles the spoofed call, the social engineering script and the OTP capture entirely on its own. Recorded Future analysts tested an open-source equivalent called SMSBypassBot and confirmed it worked exactly as advertised and was deployable within minutes.
JokerOTP, dismantled by European authorities in early 2025, illustrates why this market keeps attracting criminal investment despite regular law enforcement disruption — it facilitated over 28,000 successful attacks across 13 countries and generated an estimated $10 million in theft before its takedown, after which demand simply redistributed to competing operators already advertising on the same forums within days of the arrests. At $10 to $50 per attack session, a single successful bank account takeover generates a return of 100x to 500x on the bot rental cost, and those economics are consistent and repeatable enough that the market grows faster than individual operations can be shut down.
Why SMS-based MFA is the weakest link
OTP bots are effective precisely because they exploit a specific architectural flaw at the heart of SMS-based two-factor authentication: the assumption that a one-time code delivered to a phone number proves that the person holding the phone is the legitimate account holder who initiated the login. That assumption breaks the moment an attacker can reach the phone holder faster than the legitimate service can, present a more urgent and compelling framing for the code request, or convince the target to hand over the code under social pressure they have been engineered to feel.
SMS-based OTP is particularly vulnerable because the delivery channel, a phone call or text message from an unfamiliar number, is the same channel the attack uses, and the target has been conditioned by years of legitimate bank communications to accept that channel as trustworthy. The bot impersonates a trusted entity using a spoofed caller ID, appearing in some cases in the same SMS thread as legitimate bank alerts on Android devices, and the target has no reliable technical mechanism to distinguish the fraudulent contact from a genuine one without already knowing to look for the deception.
AI has made this substantially worse over the past 18 months, as voice cloning technology now allows OTP bots to use audio that sounds exactly like a real bank representative — with the appropriate accent, tone and pacing, rather than a generic automated voice that a careful listener might recognise as synthetic.
App-based authenticators offer more resistance than SMS but are not categorically immune to this category of attack. OTP bots have developed variants specifically designed to target app-based authentication systems, using social engineering scripts that convince targets a “syncing” or “security update” code is required to maintain access to their account — a request that is in fact designed to capture the six-digit code from the authenticator app that the attacker’s login attempt just triggered as a push notification.
The SMS pumping problem nobody talks about
Beyond the direct account takeover use case, OTP bots create a second and substantially less-discussed category of financial damage for the organisations that operate authentication systems at scale, one that affects them regardless of whether any individual attack on their customers succeeds.
By triggering massive volumes of OTP requests through fake login attempts, each of which forces the platform to generate and send an SMS that the platform’s infrastructure provider charges for attackers can systematically force organisations to pay enormous and growing SMS infrastructure bills for traffic that serves no legitimate purpose. This category of attack, known as SMS pumping fraud, has cost some platforms over $60 million per year in artificial traffic costs that accumulate silently and are often attributed to organic growth before the pattern is identified.
Twitter disclosed this figure publicly in connection with their authentication infrastructure, and the attack model has since been replicated against social media platforms, authentication providers and financial services firms globally. The attack requires no successful credential theft and no account takeover — it requires only the ability to trigger OTP generation at scale, which is something every OTP bot on the market is designed to do as part of its standard operation.
But what controls are actually working in 2026
We all know that the defensive playbook is well established, but rather that the challenge is that most organisations have not fully implemented it.
Phishing-resistant MFA (the only categorical fix!)
FIDO2 hardware security keys and passkeys remove the OTP from the authentication process entirely, replacing it with a cryptographic proof that cannot be intercepted or socially engineered regardless of how convincing the attack script is. CISA has recommended phishing-resistant MFA as the baseline for high-value accounts since 2023, and the continued growth of the OTP bot market makes that recommendation more urgent with every passing month. Everything else below reduces risk — only this eliminates it.
Behavioural anomaly detection (or catching what filters miss)
Configure authentication alerting around three specific signals:
- High OTP-to-login failure ratio — codes generated at volume with no successful login following
- The burst-and-success pattern — clustered failures immediately followed by a successful login with an account detail change
- Telemetry mismatches — a valid OTP entry paired with impossible travel between sessions
Dark web monitoring is the earliest warning available
OTP bot operators advertise targets and share stolen credentials in closed Telegram channels and dark web forums before deploying attacks. Monitoring for your organisation’s name, domain and authentication platforms gives security teams days of advance warning before attack volume appears in authentication logs — enough time to communicate defensive measures to at-risk customer segments.
Compensating controls (for the interim only)
Where phishing-resistant MFA cannot be deployed immediately:
- Rate limiting on OTP generation per account and IP
- Shortened code validity windows
- Out-of-band verification for high-risk transactions
These slow an attack down by seconds in a process that completes in under thirty. Implement them, but treat them as a bridge, not as a destination.
Conclusion
The OTP bot market exists and continues to grow because the economics are compelling in a way that law enforcement disruption has so far been unable to permanently alter — a $10 tool that earns $50,000 a month for its operator, sold through Telegram channels to people who need no technical skill to use it, running against an authentication mechanism that hundreds of millions of accounts across banking, e-commerce and enterprise platforms still rely on as their primary second factor. This is not an emerging threat that security teams have time to plan for. It is an established and commercially sophisticated criminal industry with pricing tiers, customer support infrastructure and a growing customer base of low-skill attackers who would previously have been excluded from this category of fraud by the technical barrier to entry.
CybelAngel monitors dark web markets, Telegram channels and closed criminal forums continuously, alerting security teams when their organisation, their platform name or their customer base appears in OTP bot operator discussions and targeting conversations before any attacks reach their authentication systems.
FAQ
An OTP bot is automated software, typically sold as a subscription Telegram service — that intercepts a one-time password sent to a target’s phone and relays it to an attacker in real time within the seconds during which the code remains valid. It works by impersonating a trusted entity such as a bank or platform using a spoofed phone number, creating urgency around a fabricated security incident, and convincing the target to share or confirm their authentication code before they have time to question the request.
OTP bot services are typically available for between $10 and $50 per attack session on Telegram and dark web forums, with some operators offering subscription models for regular users who want to run multiple attacks across different platforms. Dark web forum mentions of OTP bots jumped 31% in 2024, and one documented operator reported earning $50,000 per month running the service as a commercial offering, making the return on investment for criminal operators extremely high relative to the minimal entry cost.
SMS-based two-factor authentication does not stop OTP bots, it is specifically what they are designed to bypass, exploiting the narrow window between when a code is generated and when it expires by intercepting it through social engineering. Phishing-resistant MFA such as FIDO2 hardware security keys and passkeys categorically does stop them, because authentication is cryptographically bound to the legitimate domain and there is no one-time code for the bot to intercept or relay.
Financial services, fintech, cryptocurrency exchanges and e-commerce platforms are the primary targets because they hold high-value accounts, process high-value transactions, and have historically relied most heavily on SMS-based two-factor authentication as their second factor. One documented case involved a buy-now-pay-later provider receiving over 25,000 bot attempts in a 90-day period, with thousands of bots completing the full application flow. Banking customers are targeted most consistently because successful account takeovers yield the most direct and immediate financial returns for attackers.
SMS pumping fraud occurs when attackers use OTP bots or similar automated tools to trigger massive volumes of OTP generation requests against a platform, each fake login attempt forces the platform to send an SMS that its infrastructure provider charges for, regardless of whether the authentication attempt succeeds. Some platforms have reported SMS infrastructure costs exceeding $60 million per year as a direct result of artificial OTP traffic generated through this method, and the attack requires no successful credential theft or account takeover to generate that cost, only the ability to trigger OTP generation at scale.
How can security teams detect OTP bot attacks?
Key detection signals to configure alerting around include a high OTP-to-login failure ratio where codes are generated at volume without subsequent successful logins following them, the burst-and-success pattern where a tight cluster of failed attempts is immediately followed by a successful login with an account detail change, and telemetry mismatches where a valid OTP entry is paired with impossible travel signals such as a login from a location the account holder could not have reached. Dark web monitoring for mentions of your platform in OTP bot operator channels and targeting discussions provides the earliest available warning, often days before the attack volume becomes visible in authentication logs.
What is JokerOTP?
JokerOTP was a coordinated OTP bot operation dismantled by European law enforcement authorities in early 2025, representing the most significant takedown in this market to date before its disruption. It facilitated over 28,000 successful attacks across 13 countries and generated an estimated $10 million in theft from banking customers, cryptocurrency exchange users and e-commerce account holders. Its takedown redistributed demand to competing operators already advertising on the same forums rather than eliminating the underlying market, which continued to grow in the months following the arrests.
