You agree on a price. The buyer sends payment, the screenshot checks out, and you start the email handoff. Two minutes in, your phone rings. An automated voice says it's Riot security, it has flagged "suspicious sign-in activity," and it needs the six-digit code that just landed in your inbox to lock the account down. You read it out. By the time the buyer tries to log in, the account is already gone, and so is your money.
That call was not Riot. It was an OTP bot, and over the past few weeks the Valorant OTP bot scam has become one of the cleaner ways to lose an account in the middle of a trade.
What is the Valorant OTP bot scam?
An OTP bot is an automated calling or texting system that exists for one job: getting you to read out a one-time passcode. These bots are sold as a service on Telegram. The scammer picks a script (a bank, a social platform, a game publisher), and the bot does the talking. The Valorant OTP bot scam points that machine at Riot accounts.
Here is why traders are the target. Riot ties multi-factor authentication to a six-digit code sent to your email or your Riot Mobile app. Since Patch 12.10, Riot Mobile MFA has been required for ranked play in NA and EU, so almost every account worth selling now sits behind a code gate. The scammer cannot get past that gate on their own, so they get you to open it for them.
One thing worth saying plainly, because most guides bury it: selling or buying a Valorant account already breaks Riot's Terms of Service. Accounts are non-transferable, and if Riot flags the handoff, both sides can eat a permanent ban. The OTP bot does not change that risk. It adds a second, faster way to lose the account on top of it.
How does the Valorant OTP bot scam work?
The scam usually rides on top of a trade you are already in, which is what makes it land.
The scammer has your account email, either because you shared it early in the handoff or because they phished it first.
They trigger a real Riot login from their own device. Riot does exactly what it is supposed to and sends you a genuine six-digit code.
Seconds later, the bot calls or messages you, posing as Riot security. The timing is the trick. A real code and an urgent "verify it's you" call arriving together feels legitimate.
The script pressures you: there is suspicious activity, your account is about to be locked, read the code to confirm ownership. You read it. They are now in.
Once inside, they change the recovery email and password. The account you were mid-sale on, or just bought, is theirs.
The reason this works on careful people is that nothing about it looks like classic phishing. There is no sketchy URL to spot. The code is real, the urgency feels real, and the only weak point in the chain is you saying six numbers out loud.
What are the red flags during a Valorant account trade?
A code arrives that you did not request. Riot only sends an MFA code when someone is actively trying to log in. If you are not that someone, someone else is.
Any call, DM, or "verification bot" asking you to read, type, or forward the code. Riot does not call you for it, ever.
Pressure and a countdown. "Your account will be locked in 5 minutes" is the whole point of the script. Real security holds do not run on a stopwatch.
A buyer or seller who pushes to start the email transfer before payment fully clears, and then a Riot "security check" appears at that exact moment.
A "Riot staff" account in Discord or on a marketplace offering to verify the trade for you. Riot does not middleman private account sales.
How do you protect your Riot account from OTP bots?
If you take nothing else from this, take the first line: a one-time code is for you to enter on Riot's own site or app, never to say out loud to anyone. Beyond that:
Move MFA off email and onto the Riot Mobile app or an authenticator like Google Authenticator. App-based codes are much harder for a bot to social-engineer than an inbox you might have already shared with a buyer.
Treat any incoming code as a break-in alarm. If one shows up and you were not logging in, change your Riot password right away from a device you trust, then check your account email for recovery changes you did not make.
Lock the email itself. Most account takeovers go through the inbox, not the game. Put separate MFA on your email provider so a stolen Riot code cannot cascade into everything else.
If you are trading anyway despite the ban risk, never expose the account email until payment has fully settled, and use a marketplace that holds funds in escrow rather than a Discord handshake. Escrow on sites like G2G or Eldorado covers non-delivery, but be clear-eyed about the limits: it does not protect you from a later account recovery, and seller fees run roughly 7 to 10 percent.
If you have already read a code to someone, do not wait. Reset your Riot password and your email password now, and contact Riot support before the recovery window closes. Speed is the only thing left on your side at that point.
The Valorant OTP bot scam is not clever, it is just well-timed. Riot's own system hands you the alarm: a six-digit code you never asked for. The whole scam depends on you ignoring it. So do the opposite. An unexpected code is not an annoyance to clear away, it is your signal to stop the trade and lock everything down.