It starts with a buzz. Then another. Then your phone won't stop.

Within minutes, you have 150, 200, sometimes 400 unread messages. Every single one is a One-Time Password. Zomato. HDFC Bank. Flipkart. Uber. Apps you've never even opened. Your screen is a wall of six-digit codes you never asked for, and your phone is too busy vibrating to do anything else.

This is OTP bombing — and if you've been targeted, the first thing to understand is that nobody hacked you. Not yet, anyway.

What OTP bombing actually is

OTP bombing (also called SMS bombing or SMS flooding) doesn't involve stealing your password or breaking into your phone. It's simpler and, in a way, more insulting than that.

Attackers use automated scripts that scrape the "Send OTP" button on hundreds of legitimate websites and apps. Every time that script fires, a real company's server sends a real OTP — to your number. Do this across 300 different signup and login pages at once, and your phone turns into a warzone of verification codes.

The companies don't know they're being used. You're the only one paying the price — in battery, in sanity, and sometimes, in missed fraud alerts.

Who's actually doing this

There isn't one type of attacker. Digitally Unsafe has tracked at least three distinct profiles behind India's OTP bombing cases.

The harasser you already know. This is the most common motive by far. An ex-partner, a spurned admirer, a disgruntled former employee, or a feuding neighbour uses a free bombing tool — some are literally sold as "pranks" on shady websites — to make someone's phone unusable out of spite. No technical skill required. Just a phone number and five minutes.

The smokescreen operator. This is the one that should actually worry you. A cybercriminal who has already phished your net banking password launches an OTP flood at the exact moment they try to log in and drain your account. The goal isn't to annoy you — it's to bury the one real fraud alert from your bank inside 300 fake ones, so you dismiss it without reading it. Security researchers call this MFA fatigue, and it's becoming a favoured tactic for account takeover fraud in India.

The commercial disruptor. Less common, but real. Businesses have used bombing scripts against competitors, triggering thousands of OTP messages to inflate the competitor's SMS gateway bill, which can run to lakhs of rupees a day when done at scale.

The technical hole that makes this possible

None of this works because Indian companies have weak security in the conventional sense. It works because of one specific, boring failure: missing rate limits.

When you build a "Send OTP" feature, the correct design limits how many times a single phone number can trigger that button — say, three requests every fifteen minutes. Add a CAPTCHA. Require a session token so a script can't fire requests directly at the backend.

Security researchers have repeatedly found dozens of Indian APIs — from banks, e-commerce platforms, and telecom services — missing exactly these protections. Attackers don't need to hack anything. They just need a list of unprotected endpoints, which circulate freely on GitHub and Telegram.

Is it actually illegal?

Yes — unambiguously. There's a persistent myth that because attackers are only abusing public APIs rather than "hacking" anything, this exists in some legal grey zone. It doesn't.

Under the Information Technology Act, 2000, this falls under Section 43 (unauthorised access and disruption of a computer resource — your phone counts) and Section 66 where the act is done with fraudulent or dishonest intent. Where the flood is used to harass a specific person, police also invoke the Bharatiya Nyaya Sanhita's public nuisance provision — Section 270, which replaced the old IPC Section 268 when India's new criminal codes came into force on July 1, 2024.

None of the "disclaimers" on bombing tool websites protect the person who uses them. Courts have treated intent to harass or defraud as the deciding factor, not the method.

What to do if it happens to you

Don't switch off your phone. It feels tempting, but it also means you'll miss a genuine fraud alert if this is a smokescreen attack, not just harassment.

Check your bank and email accounts immediately, from a separate device if possible. Look for login attempts or transactions you didn't make. This is the single most important step, and the one most victims skip because they're too busy trying to make the buzzing stop.

Call your telecom operator's fraud or customer care line. Airtel, Jio, and Vi can apply temporary SMS filtering on your number while you sort things out.

File a complaint at cybercrime.gov.in, or call the national cybercrime helpline at 1930. Even if the flood has already stopped, a formal complaint creates a paper trail — useful if this turns out to be the opening move in a larger fraud, or if you later need to report a specific unauthorised transaction.

If you can identify the harasser — a specific number, a threatening message before the flood started — include that in your complaint. Local cyber cells have successfully traced bombing campaigns back to individuals through IP logs and payment trails on paid bombing services.

The uncomfortable part

The real story here isn't the prankster with a Telegram bot. It's that hundreds of Indian companies — banks and fintechs among them — are still running OTP systems with no rate limiting in 2026, years after this vulnerability was first flagged publicly.

Every unread OTP flooding your phone is a small, physical reminder that the company sending it never bothered to ask: what happens if someone sends this button one thousand times a second?

You're the one who finds out.

When it's traceable:

If the attacker used a paid bombing service rather than a free script, there's a payment trail — UPI, card, or increasingly crypto (USDT is now common precisely because it's harder to trace). Police can also pull IP logs from the script itself, since these tools typically run from a browser or local machine and log the requesting device's IP when they hit each company's OTP endpoint. If your cyber cell escalates this properly, they can request those logs from the affected companies and the ISP.

If it's someone you already suspect — an ex, a neighbour, a former colleague — investigators often don't even need to trace an anonymous script. They just need to establish motive and access, which is a much shorter chain than tracing internet infrastructure from scratch.

When it's genuinely hard:

Free, anonymous bombing tools hosted overseas are a different story. Many operate through offshore hosting, VPNs, and virtual numbers specifically to avoid this kind of tracing. Digitally Unsafe has seen recent cases — mostly unrelated to OTP bombing but using the same anonymization playbook — where investigators had to go through Interpol, crypto exchanges, and multiple layers of resold accounts just to identify one person behind an anonymous campaign. That's weeks or months of work, not something your local cyber cell resolves overnight.

What actually moves the needle for an individual victim:

The honest answer: individual harassers using known bombing tools get traced more often than people assume, especially when the victim can name a suspect. Anonymous, monetized bombing services run by strangers are a much longer, harder chase — and not always one that ends in an arrest.