OTP Bot
Automated software that calls or texts victims in real time to trick them into reading out their one-time passcodes, which are then relayed to attackers logging into the victim's account.
Also known as: OTP interception bot, one-time code bot, 2FA bypass bot
Last reviewed: 1 June 2026
An OTP (one-time password) bot is a tool sold as a service on cybercriminal platforms that automates the real-time interception of SMS or authenticator-based one-time codes. Here is how it works: the attacker has the victim's username and password (from a data breach or phishing), attempts to log into an account, and triggers an OTP request to the victim's phone. Simultaneously, the OTP bot places an automated call to the victim — often posing as the bank or service provider — saying something like 'We detected suspicious activity. Please enter your verification code now.'
The victim, believing they are speaking to their bank, enters the code. The bot captures it and sends it instantly to the attacker, who completes the login within the OTP's validity window. The entire process is automated and takes seconds, making manual response by the victim difficult.
OTP bots defeat SMS-based two-factor authentication entirely and are widely advertised on Telegram channels. The best defence is switching from SMS-based OTPs to phishing-resistant authentication methods such as FIDO2 hardware keys or passkeys, which are bound to the legitimate domain and cannot be relayed.
Examples
- An attacker uses an OTP bot to call a customer who receives an automated message asking them to 'press 1 and enter the code just sent to your phone' — the code is captured and used to complete a fraudulent bank transfer.