Fortra threat intelligence analysts are tracking AI vishing-as-a-service offerings by the threat actor group PlugValley that include spoofing capabilities, custom prompts, adaptable agents, and more. AI is widely suspected across the cyber community to be the catalyst in vishing’s ballooning volume, providing criminals with the tools and, most importantly, the human touch needed to target victims with believable campaigns. With PlugValley’s AI bot, bad actors can purchase a subscription that will create a customized script, execute the call with a voice of their choosing, and complete the task they have instructed, whether it be collecting banking information, a one-time passcode, or more. This is the first time Fortra has documented a full vishing-as-a-service operation leveraging AI specifically to craft vishing attacks.
Threat Background & History
PlugValley’s original vishing offering, which they refer to as an “OTP bot” or One-Time Password Bot, has been accessible through the messaging platform Telegram since October 2023. In August 2024, PlugValley began offering an AI-powered iteration of their original service to further assist customers in vishing and OTP collection efforts. In February 2025, PlugValley released an Escrow Bot to keep transactions between their consumers safe. The group hosts a main Telegram channel, a community page, and an individual Telegram channel for each of the bots offered.
Service Breakdown
PlugValley has primarily used Telegram to advertise its bots. Their main Telegram channel has over 7,100 subscribers. The channel is managed by their self-described CEO and one moderator. Across their various bots, they have offered features including:
- 24/7 and international support
- Automated Payment Systems
- Live Custom Panels
- Multilingual Pre-made settings
- Customizable Caller-ID/Spoofing
- Custom Customer Service Scripts
- Real-Time Call Transcripts sent to Telegram
- Customizable AI Agents
- Real-Time Call Adaptation
The group has a website, otpvalley.su, where they officially sell their original vishing service. Free registration through Telegram is required before the consumer can gain access to their website. Once registered on Telegram, they provide threat actors with a unique account number to sign into the website. Alongside the website, PlugValley offers a server status page, status.plugvalley.pro, to allow their users the ability to see if their bots are fully operational at any time.
PlugValley’s vishing services are sold as daily, weekly, and monthly subscriptions, which are only payable with cryptocurrency. The group offers an affiliate program where users can earn up to a five percent commission for bringing in new users by sharing a unique link.
OTP Bot
PlugValley’s automated vishing bot is a call service that follows pre-made or custom scripts. The group markets their automated vishing bot as a hybrid between a traditional One-Time Password bot and 3CX, a phone system software that offers a variety of call center features. An OTP bot reads scripts with an automated voice to convince victims to provide sensitive information over the phone. The threat actor can then utilize the collected information to access the victim’s bank, cloud service, or even social media accounts.
PlugValley provides an extensive user manual that details the numerous features and ready-made settings for crafting vishing campaigns. The vishing bot includes pre-made settings that can be tailored to target banks, emails, crypto accounts, social media, and cloud-sharing platforms. Features include options to send legitimate-looking text messages before or after the call, settings to hang up at voicemail, and keypad data entry settings. Additionally, available Interactive Voice Response (IVR) options can be used to customize phone tree scripts for frequently asked questions or further target specific victims. Other options include beginning a script after victim initiation or bypassing a script to perform a specific action immediately. The manual includes additional details on creating custom scripts, navigating their call interface, creating a call, and how their subscription and affiliate programs work.
PlugValley’s website offers numerous bundle options for daily, weekly, and monthly subscriptions. These bundles include the general license to use their bot and a mixture of phone number spoofing, international availability, streaming, and extended call times. Streaming is advertised by the group to allow the threat actor to listen to the call in real-time, whereas without this feature, the threat actor can only see a dictation of what is happening on the call. The most accessible bundle available starts at the weekly price of $164.99, and the most sophisticated bundle starts at $429.99.
AI Bot
In August 2024, PlugValley introduced an AI-powered iteration of their automated vishing service. The new iteration, referred to as an AI bot by the group, acts as a call center representative for easier credential collection by producing a dynamically evolving script and more human-like sound.
The AI bot includes over 20 pre-made agents that can handle common tasks like general information collection and real-time call adaptation to ensure the conversation feels natural. PlugValley states that their AI-powered vishing bots have human-like voices, emotive tones, and low latency to ensure their service sets them apart. Additional features include call center background noise and phone number spoofing. The user manual offers further instructions on creating a call, creating a custom AI agent, and receiving live transcripts that allow the threat actor to follow along while the call is taking place.
Threat actors can change settings through the service’s automated Telegram bot. Selectable options include the AI agent’s persona, voice, language, and call settings. These features are fully customizable, including the script that the AI agent will say at the beginning of the call. PlugValley offers a companion manual on how to create clear and maintainable prompts for their AI-powered vishing bot. This manual includes an example of how to craft an identity, style, task processes, and response guidelines for the threat actor’s AI agent. They offer solutions on how to ensure numbers do not sound unnatural when spoken by the AI agent and how to introduce ‘thinking phrases’ to provide natural pauses and hesitations.
The AI-powered iteration of PlugValley’s vishing bot can only be purchased using cryptocurrency through Telegram. Subscriptions to the AI bot can be purchased on a daily ($74.98), weekly ($399.98), and monthly ($1,999.98) basis. Currently, the group only advertises this service as being limited to the first 50 users to sign up.
Escrow Bot
PlugValley began offering an escrow bot in February 2025. This bot was introduced to allow PlugValley to act as a safe and reliable third-party between two customers involved in a transaction. Threat actors deposit cryptocurrency for the PlugValley escrow bot to hold onto until the transaction is completed. The Escrow bot releases the funds “when both parties are satisfied” to mitigate instances of scams between threat actors.
The Escrow bot was set up and marketed as a replacement for another bot named ‘CoinEscrowBOT’ run by a group called BigFat. This group was banned from Telegram in early 2025. Shortly after, the main developer took the remaining money held within their Escrow bot and went dark after failing to recover from the ban. PlugValley crafted a post about this ‘exit scam’ to reflect their determination to provide transparency and trust within their community.
PlugValley claims to offer multiple back-ups, including servers and wallets so that no singular point of failure can interfere with the escrow bot. PlugValley alleges that they will ensure automatic refunds if their servers fail for more than 12 hours. They take a 5 percent fee of the transaction if the amount is under $100 or take a set fee of $5 for transactions over $100, for acting as the third party during the transaction.
Looking Ahead
PlugValley represents an evolution in the cybercriminal underground, leveraging AI to enhance the effectiveness and scalability of vishing attacks. By offering vishing-as-a-service with advanced AI capabilities, including customizable agents, real-time adaptation, and spoofing, PlugValley has lowered the barrier to entry for cybercriminals and increased the threat landscape for individuals and organizations alike.
As AI-driven social engineering attacks become more sophisticated, organizations must prioritize proactive defenses, including employee awareness training, enhanced fraud detection, and real-time threat intelligence monitoring. PlugValley’s operations serve as a stark reminder that the intersection of AI and cybercrime is rapidly evolving, demanding continuous vigilance and adaptive security strategies.
Alexis Ober is a threat intelligence analyst at global cybersecurity software and services provider Fortra, bringing extensive experience in fraud investigations and research analysis. She has a strong background in identifying fraud, waste, and abuse within the healthcare sector, having worked in both government and private organizations.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.