Criminal Liability for Selling OTP Codes and Facilitating SIM-Related Fraud in the Philippines

1) Why OTPs and SIMs sit at the center of modern fraud

In the Philippines, many financial and e-wallet transactions rely on SMS-based one-time passwords (OTPs) or similar “one-time codes” as a second factor of authentication. Control of a mobile number often equals control of:

  • password resets,
  • account recovery,
  • login confirmations,
  • transaction approvals,
  • onboarding verification (KYC).

Because of this, fraud schemes frequently revolve around either:

  1. Obtaining OTPs (through deception, malware, or interception), or
  2. Obtaining/controlling SIMs tied to the victim’s number (through SIM registration abuse, SIM swap, use of “pre-registered” SIMs, insider collusion, or identity fraud).

Selling OTP codes and facilitating SIM-related fraud can create direct criminal exposure under both the Revised Penal Code (RPC) and special laws—especially the Cybercrime Prevention Act of 2012 (RA 10175), the Data Privacy Act of 2012 (RA 10173), the E-Commerce Act (RA 8792), and the SIM Registration Act (RA 11934)—plus potential liability for conspiracy, aiding/abetting, and related participation theories.

2) Clarifying terms (practical legal meaning)

OTP

A one-time password/code is an authentication credential used to verify identity or authorize a transaction. Legally, OTPs function like an access credential (an “access code” or “password”), even if time-limited.

“Selling OTP codes”

This can happen in different ways:

  • Direct capture then sale: seller obtains OTP from a victim (social engineering/phishing) and sells it immediately to a buyer who uses it.
  • Brokerage: seller recruits “OTP suppliers” or “money mules,” buys codes, resells to scammers.
  • Facilitation: seller provides instructions, scripts, tools, accounts, SIMs, or infrastructure, then receives payment per successful OTP.

SIM-related fraud

Includes conduct like:

  • selling or providing SIMs registered under someone else’s identity,
  • arranging false SIM registration,
  • enabling SIM swaps (taking over a victim number),
  • acquiring SIM registration data illicitly,
  • trafficking “pre-registered” SIMs or identities for registration,
  • coordinating with insiders to activate, replace, or port numbers unlawfully.

3) The Philippine legal framework that commonly applies

A) Revised Penal Code (RPC) – core “traditional” crimes

Even if the fraud is “digital,” prosecutors often anchor the case in classic RPC offenses:

  • Estafa (Swindling) (typically Article 315): fraud/deceit causing damage; common for unauthorized transfers, fake customer support scams, OTP harvesting scams resulting in loss.
  • Theft (Article 308) / Qualified theft (Article 310): taking without violence/intimidation; can apply to misappropriation of funds or property facilitated by unauthorized access (fact-dependent).
  • Falsification (Articles 171–172) and Use of falsified documents: fake IDs, forged affidavits, fabricated registration documents, falsified KYC submissions.
  • Unjust vexation / threats / coercion / grave threats (fact-dependent): if the scheme involves intimidation to obtain OTP or SIM cooperation.
  • Conspiracy, accomplice, accessory liability (general principles): crucial for OTP “sellers” who claim they did not personally withdraw money.

B) Cybercrime Prevention Act (RA 10175)

RA 10175 is often the most powerful fit for OTP/SIM-fraud cases because it covers:

  • Computer-related fraud (obtaining economic benefit through computer/data manipulation or interference; exact framing depends on facts)
  • Computer-related identity theft (unauthorized acquisition/use/misuse of identifying information)
  • Computer-related forgery (input/alteration/deletion of data resulting in inauthentic data with intent it be considered authentic)
  • Illegal access (hacking/unauthorized access to systems/accounts)
  • Illegal interception (intercepting non-public transmissions, if applicable to OTP capture methods)
  • Misuse of devices (critical for OTP-selling): dealing in devices, computer programs, passwords, access codes, or similar data for the purpose of committing cybercrime
  • Aiding or abetting cybercrime and attempt (RA 10175 expressly recognizes liability even when the actor is not the primary account-drainer)

Penalty rule: when an RPC offense is committed through and with the use of ICT, RA 10175 generally pushes penalties one degree higher than the RPC counterpart (a major charging consequence).

C) Data Privacy Act (RA 10173)

OTP schemes almost always involve personal data:

  • mobile numbers, names, emails, bank/e-wallet identifiers,
  • device identifiers,
  • communications content and metadata,
  • IDs used for SIM registration or KYC.

Potential DPA exposures include:

  • Unauthorized processing of personal information
  • Access due to negligence (common for insiders or negligent custodians, fact-dependent)
  • Unauthorized access or intentional breach (especially where data is extracted/sold)
  • Malicious disclosure (selling SIM registration details, KYC records, OTP-linked identifiers)

DPA cases can be filed alongside cybercrime and RPC offenses, especially when an OTP seller is part of a data-trafficking chain.

D) E-Commerce Act (RA 8792) + Rules on Electronic Evidence

RA 8792 supports the legal recognition of electronic data messages and electronic documents, often relevant to:

  • proving “consent” claims,
  • authenticity of electronic logs,
  • digital signatures (if any),
  • admissibility frameworks together with the Rules on Electronic Evidence.

E) SIM Registration Act (RA 11934)

RA 11934 directly targets the SIM ecosystem that fraud relies on. While precise applicability depends on the implementing rules and the exact conduct, the law generally criminalizes or penalizes behavior such as:

  • False SIM registration or registration using fictitious identities/forged documents
  • Selling/trading SIMs in ways that defeat registration requirements or verification
  • Using another person’s identity for SIM registration
  • Unauthorized transfer/trafficking of registered SIMs and identity details (as framed by law/IRR)
  • Aiding schemes that use improperly registered SIMs for criminal activity

Even when a seller never touches a bank account, providing the registered SIM “material” can be treated as part of the fraud enterprise.

F) Anti-Wiretapping Act (RA 4200) (sometimes implicated)

If the OTP is obtained through interception/recording of private communications (rather than simple deception), RA 4200 risks arise. Whether it applies to a particular OTP capture method is fact-sensitive (and courts examine what constitutes interception and the nature of the communication).

4) How criminal liability attaches to an OTP seller or SIM facilitator

A) Principal liability: not just “the one who took the money”

Under Philippine criminal law, a person can be a principal even if they did not personally withdraw or receive the stolen funds, if they:

  • directly participated in executing the crime,
  • directly forced/induced another to do it, or
  • cooperated by indispensable acts without which the crime would not be accomplished.

OTP sellers are particularly exposed under the “indispensable cooperation” logic when the OTP is the gatekeeper to a transfer or account takeover. If the prosecution proves the seller knew the OTP would be used for unauthorized access/transfer, the OTP can be framed as an indispensable access credential.

B) Conspiracy: the shortcut that makes everyone liable for the whole result

If there is proof of agreement (explicit or inferred from coordinated acts) and community of design, the OTP seller can be treated as a conspirator—liable as a principal for the resulting fraud, not merely for selling a “code.”

Evidence used to infer conspiracy often includes:

  • repeated transactions with known scammers,
  • standard pricing per OTP,
  • “job orders” or scripts,
  • coordinated timing (OTP requested, sold, used within minutes),
  • sharing of victim data sets,
  • profit-sharing or commissions,
  • operational security measures (burner SIMs, layered accounts).

C) Accomplice liability: “helping” with knowledge

Even without full conspiracy, an OTP seller may be an accomplice when they:

  • cooperated in the execution by previous or simultaneous acts, and
  • knew the buyer’s criminal purpose.

Examples:

  • sending OTPs to a buyer while saying “pang-drain” / “pang-reset” / “pang-bypass,”
  • providing “SIM pang-SIM swap” together with identity files,
  • teaching how to defeat OTP controls.

D) Accessory liability: after-the-fact assistance

If a person helps after the crime (e.g., concealing proceeds, helping perpetrators evade capture, destroying devices), accessory liability may attach, subject to the RPC’s rules and the facts.

E) RA 10175’s explicit “aiding or abetting”

RA 10175 strengthens prosecution of enablers: selling OTPs, access codes, SIMs, or tools can fit as aiding/abetting, and in some configurations as misuse of devices, even if the seller claims they “didn’t hack anything.”

5) Key charge theories prosecutors use (and why)

1) Estafa (RPC) + “through ICT” enhancement (RA 10175)

Typical narrative: victim was deceived into giving OTP or into believing a transaction was legitimate; loss resulted; accused participated by obtaining/selling OTP or enabling SIM takeover.

Why this is used:

  • easy to understand for courts,
  • fits “deceit + damage,”
  • RA 10175 can elevate penalty when committed via ICT.

2) Computer-related identity theft (RA 10175)

When the scheme involves unauthorized acquisition or misuse of identity data (name, number, account identifiers, SIM registration data) to impersonate and take control.

3) Illegal access / account takeover (RA 10175)

If OTP was used to log in or reset credentials without authority, the buyer (and potentially the seller as participant) can face illegal access-related theories.

4) Misuse of devices (RA 10175) — the “OTP seller” bullseye

This is often the most direct fit where the “commodity” is an access credential:

  • OTPs, passwords, access codes,
  • tools/scripts/programs for phishing,
  • credential stuffing lists,
  • SIM swap toolkits or insider portals (where applicable).

If the prosecution shows the OTP/access data is being distributed for committing cybercrime, liability can attach even without proving the seller executed the final transfer.

5) Forgery/falsification (RPC and/or RA 10175 computer-related forgery)

If SIM registration or KYC used:

  • fake IDs,
  • altered images,
  • forged documents,
  • fabricated personal data entries.

6) SIM Registration Act violations (RA 11934)

For trafficking or enabling false registration and circumvention of SIM controls—often charged alongside cybercrime and estafa.

7) Data Privacy Act (RA 10173)

If the OTP seller/facilitator handles:

  • stolen KYC sets,
  • SIM registration data,
  • “leads” with personal identifiers,
  • screenshots of OTP messages containing personal data,
  • databases of victims.

6) “I only sold the OTP” defenses—and what usually matters legally

A) Lack of knowledge / intent

A seller may argue they didn’t know the OTP would be used for fraud. In practice, this turns on evidence like:

  • chat content (“pang login,” “pang reset,” “pang bypass,” “pang cashout”),
  • patterns (high volume, repeat buyers),
  • pricing (fraud-market pricing vs legitimate),
  • timing (OTP sold immediately after solicitation),
  • use of burner SIMs / anonymization,
  • prior warnings, prior arrests, or prior similar transactions.

Criminal liability often pivots on mens rea: intent, knowledge, or reckless disregard.

B) Claim of authorization (testing, “work,” customer support)

This defense collapses if:

  • there is no written authorization,
  • the “victim” never consented,
  • logs show unauthorized resets/transfers,
  • the supposed “client” is itself a scam operation.

Where a legitimate security-testing context exists, the absence of clear written scope and consent is usually fatal.

C) “No loss happened” (attempt liability)

Even if the transfer fails, attempt or aiding/abetting under RA 10175 may still apply; solicitation plus partial execution steps can be enough.

D) Entrapment vs instigation

In sting operations, accused sometimes claim they were framed. Courts distinguish entrapment (allowed) from instigation (can be a defense). The exact boundary depends on who originated the criminal intent and how the operation was conducted—highly fact-specific.

7) Evidence and procedure: what wins or loses these cases

A) Digital evidence is the case

Common exhibits:

  • chat logs (Messenger/Telegram/Viber/SMS),
  • screenshots (risk: authenticity challenges),
  • device extractions and forensic images,
  • transaction logs from banks/e-wallets,
  • telco SIM registration records and activation/replace logs,
  • cell-site/location data (where lawfully obtained),
  • IP logs and device fingerprints (where available),
  • CCTV and cashout trail (ATMs, remittance centers, agents).

B) Admissibility and authenticity

Philippine courts require careful handling of electronic evidence:

  • proof of integrity and authenticity,
  • proper identification of authorship/sender,
  • chain of custody for seized devices,
  • lawful seizure and search (warrants and scope),
  • correlation of digital artifacts to the accused.

C) Jurisdiction and venue

Cybercrime cases are often filed in designated cybercrime courts (RTC branches), and venue can be based on where elements occurred or where systems/devices are located, depending on the offense and procedural rules.

8) Typical fact patterns and how liability attaches

Pattern 1: “OTP runner”

A person calls victims pretending to be bank/e-wallet support, gets OTP, then sells it to a “drainer.”

  • Likely exposure: estafa (principal), RA 10175 aiding/abetting, misuse of devices; identity theft; DPA if personal data handled.

Pattern 2: “SIM farm / pre-registered SIM seller”

A person sells SIMs already registered under other identities or with falsified documents.

  • Likely exposure: RA 11934 violations; falsification; RA 10175 if linked to cybercrime; DPA if personal data used/sold; estafa if part of overall fraud.

Pattern 3: SIM swap facilitator (with insider link)

A facilitator coordinates with an insider or uses fake documents to replace a victim’s SIM, then resets banking credentials.

  • Likely exposure: RA 10175 illegal access / identity theft / fraud; RA 11934; falsification; estafa (enhanced); possibly DPA.

Pattern 4: Data broker of KYC/SIM registration info

A person sells lists containing names, numbers, IDs, and account identifiers used to target victims and defeat verification steps.

  • Likely exposure: DPA (unauthorized processing/disclosure); RA 10175 identity theft / aiding; estafa conspiracy where connected.

9) Penalty landscape (high-level, without pretending every case is identical)

Penalties depend heavily on:

  • the exact charge(s),
  • the role (principal vs accomplice vs accessory),
  • amount of damage,
  • presence of falsification,
  • whether charged under RA 10175 (often increases severity),
  • number of victims/counts (each transaction can be a separate count),
  • aggravating circumstances (e.g., abuse of confidence, use of fraud with sophistication—fact-dependent).

A single OTP-selling operation can trigger multiple counts (one per victim, per unauthorized transfer, per false registration act, per data set sold), which multiplies exposure.

10) Corporate/insider angles (telcos, agents, employees)

While companies are not jailed like natural persons, individuals inside organizations can face liability when they:

  • improperly access SIM registration databases,
  • disclose personal data,
  • facilitate unauthorized SIM replacement,
  • bypass verification protocols for payment,
  • participate in cashout or laundering steps.

The Data Privacy Act is particularly relevant where employees misuse access to personal data, and RA 10175 can apply if the acts facilitate cybercrime.

11) Practical legal takeaways (Philippine context)

  1. An OTP is not “just a number.” Treated as an access credential; trading it for criminal purposes can fit misuse of devices, aiding/abetting, and participation in fraud/estafa.
  2. Facilitators are prosecutable even without touching stolen funds. Conspiracy, indispensable cooperation, and RA 10175 aiding/abetting are designed for this.
  3. SIM-related fraud is no longer a regulatory gray zone. RA 11934 provides direct hooks for false registration and SIM trafficking behavior tied to fraud.
  4. Data is often the “second crime.” Handling/selling personal data used to execute OTP/SIM fraud can trigger separate Data Privacy Act exposure.
  5. Evidence quality decides outcomes. Authentication, lawful acquisition of digital evidence, and a clean chain of custody are decisive.

12) Bottom line

In the Philippines, selling OTP codes and facilitating SIM-related fraud is not treated as a harmless side hustle or mere “assistance.” Depending on proof of knowledge and coordination, it can support prosecution as principal, conspirator, accomplice, or aider/abettor under a combination of RPC fraud/falsification offenses, RA 10175 cybercrime offenses (including misuse of devices and aiding/abetting), RA 11934 SIM registration-related violations, and RA 10173 data privacy crimes—often with compounded penalties across multiple victims and transactions.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login